Directus is a database-first, source-available headless CMS whose core strengths are developer-centric: granular policy-based permissions, a comprehensive extension model, dual REST/GraphQL APIs with behavior parity, and front-of-field AI infrastructure (an official free MCP server, BYOK across providers, and native AI translations in v12). It is best understood as flexible content/data infrastructure rather than a turnkey marketing or commerce suite — it has no native personalization, A/B testing, commerce, or campaign tooling, and its intranet and multi-brand fit relies on DIY RBAC patterns. The June 2026 v12 MSCL relicense is the dominant recent risk: active license enforcement now gates SSO and custom permission rules behind paid tiers, creates a steep free-to-paid pricing cliff, and has soured open-source community sentiment, pushing some self-hosters toward Payload and Pocketbase.
Directus maps all DB column types to a rich field set: string/text, number, datetime, boolean, JSON, UUID, geospatial (GeoJSON), file, and alias/relational fields. Schema-as-code is first-class via `directus schema snapshot` (YAML/JSON export) and `schema apply` with diff-based migration, enabling CI/CD environment promotion. Repeater fields handle nested JSON arrays; M2A handles polymorphic references; v12 added AI-assisted translation field generation (gated on a paid license under the new MSCL model). Not quite 80+ because geospatial requires DB-level extension support, union-typed fields beyond M2A are limited, and the v12 Free Core Tier caps larger orgs at 50 collections.
Directus natively supports M2O, O2M, M2M (auto-created junction table), and M2A (Many-to-Any — polymorphic references across multiple collections). M2O/O2M pairs are surfaced bidirectionally in the data model. M2A is the key differentiator, enabling one field to reference items from any number of collections by storing collection name + item ID in the junction. v12 tightened M2A handling as a breaking change — M2A fields queried without a specified collection name now throw an error rather than silently returning partial data, forcing explicit collection naming. Fully queryable from both sides and foundational for block-based page building.
Block-based composition is achieved via M2A relationships — create block-type collections (hero, text, CTA, etc.) and an M2A field on the page collection. Repeater fields handle simple inline sub-object arrays. Community extension `directus-extension-flexible-editor` integrates Tiptap with M2A relation nodes for embedded structured blocks within rich text. Prevents a higher score: nested repeaters (repeater-in-repeater) are not natively supported; the block system requires developer setup rather than being a turnkey feature.
Built-in validations include required, unique, regex (with custom error messages), min/max for numeric and text, and conditional validation — field-level conditions that change required/validation rules based on the values of other fields in the same item. Validations fire on create/update via the app or API. Custom validation beyond regex is possible via Flows (event-driven automations) or custom API extension hooks. Conditional cross-field validation is a genuine strength that pushes this into the 70+ range.
v12 (June 2026) made draft/published a native, first-class workflow: every item has explicit draft and published states, editors work on drafts by default and publish intentionally, with clear version indicators across the Studio and Visual Editor — building on v11.16 global draft versions. Named content versions, granular revision history with a color-coded diff comparison modal, promote-to-main, and configurable retention all remain. The score is held below 80 because scheduled releases and content branching are still on the roadmap (v12 explicitly 'lays the basis' for them but does not ship them), and there is no Git-style branching.
The v12 Studio redesign reworked navigation, header, sidebar, and action patterns specifically to improve the day-to-day experience for non-technical users, and the Visual Editor (`@directus/visual-editing`) marks editable elements with `data-directus` attributes to render the live site in an iframe for in-context editing with version-aware indicators. Editors navigate the real site and edit linked items in place. Still capped below 70 because, per the scoring anti-pattern, this is in-context field editing — not a drag-and-drop page builder; there is no component rearrangement or layout construction for marketers without developer setup.
Native built-in editors (WYSIWYG and Markdown interfaces) output HTML string and Markdown string respectively — neither outputs a portable AST. Multiple community Tiptap extensions exist: `directus-extension-flexible-editor` outputs ProseMirror JSON AST with embedded M2A relation nodes; `@bicou/directus-extension-tiptap` also supports JSON or HTML storage; a community 'WYSIWYG (Enhanced)' interface added native TinyMCE image/video resize handles. Because AST output requires third-party extensions not bundled in core, the native experience scores in the adequate range.
Directus wraps the Sharp library for on-the-fly image transforms via URL parameters — resize, crop, format conversion, quality, blur, and more. WebP and AVIF both natively supported (`?format=webp`, `?format=avif`). Focal point stored per file (`focal_point_x/y`) and applied automatically during crop. Transformation presets definable by admins and referenced by name. Folder organization, metadata, alt text, tags. v11.17 improved background data imports with configurable concurrency and timeout. The gap to 80+ is the absence of a built-in managed CDN for assets (in self-hosted) and no native DAM-level features like rights management.
Native real-time collaborative editing in core since v11.15 (February 2026). Multiple users can edit the same record simultaneously; field-level locking prevents last-write-wins conflicts; presence indicators show user avatars in the item header and next to specific fields being edited. WebSocket-backed with Redis for multi-instance deployments. Promoted from community extension to core for deeper platform integration. Falls just short of 80+ because field-level locking (not true simultaneous per-character co-editing like Google Docs).
v12 added native draft/publish states so editors work on drafts by default and publish intentionally — a real improvement over the prior status-field-only approach. Beyond that binary, multi-stage approval still relies on status fields + Flows + role-based permissions: writers submit, a Flow notifies reviewers, permissions block publishing until approved. The score is held in the mid-60s because Directus itself states approval workflows are future work, there is no visual BPMN-style workflow designer, and crucially the v12 MSCL license now gates custom permission rules behind a paid tier — the very mechanism used to enforce role-based stage transitions.
Both REST and GraphQL are first-class, auto-generated from the data model with behavior parity. REST filter syntax supports logical operators (`_and`, `_or`, `_not`), deep filtering on relations, aggregation, field selection, sorting, and pagination; GraphQL adds WebSocket subscriptions. v12 added dot-notation path queries on JSON fields, enabling database-level filtering on specific nested values without pulling and parsing whole JSON blobs client-side. Official TypeScript-first SDK (`@directus/sdk`) with `rest()`, `graphql()`, and `realtime()` composables; native MCP support since v11.13.
Directus Cloud (managed hosting) includes a global CDN as part of its infrastructure. Self-hosted Directus has no built-in CDN — the recommended pattern is placing Cloudflare or Fastly in front with correct `Cache-Control` headers. Server-side caching via Redis or in-memory reduces origin load. v12 added a deployment dashboard with real-time status via Vercel/Netlify provider webhooks, but this orchestrates frontend builds, not content CDN or edge delivery. No documented sub-second cache purge or edge computing capabilities for self-hosted.
Flows are the sole automation system with five trigger types: event hook (item CRUD, file upload, login, errors), incoming webhook (GET/POST with async response option), CRON schedule, another flow, and manual trigger. Filter hooks are blocking (can transform/reject); action hooks are fire-and-forget. Official n8n integration adds a dedicated Directus Trigger node for event-driven external workflows. Key gaps remain: no native HMAC signing on outgoing payloads and no built-in retry logic for failed webhook deliveries.
Directus is database-first and API-first — all content accessible via REST and GraphQL with no coupled frontend. Official `@directus/sdk` is TypeScript-first, isomorphic, modular, supporting REST, GraphQL, and real-time WebSocket subscriptions. Official starters for Next.js, Nuxt, SvelteKit, Astro, and React Native; v12 added AI-assisted translations for multilingual delivery. Community SDKs for Python, Go, Dart/Flutter exist but are not officially maintained. Score held below 80 because the official SDK covers only JS/TS natively and core rich text output is HTML/Markdown (not AST).
Directus has no native audience segmentation engine. The platform's own blog post ('Is Your CMS Ready for AI & Personalization?') explicitly frames Directus as the infrastructure layer where segment metadata can be stored, not as the segmentation engine itself. All targeting logic must live in the delivery layer; no official CDP integrations are documented as of v12.0.
Directus can store content variants as separate items with metadata fields for targeting rules, but there is no native variant-serving mechanism, in-editor preview per audience, or decision engine. Personalization requires a fully external implementation (edge function, CDN logic, or third-party tool). No official first-party personalization integrations exist in the v12.0 Marketplace.
No native A/B or multivariate testing capability. Directus is a content repository only; experimentation logic, traffic allocation, and results reporting all require fully external tools. No documented integration with Optimizely Web, LaunchDarkly, or similar platforms.
No algorithmic content recommendation engine exists in Directus. The platform provides no ML-based, collaborative filtering, or weighted editorial recommendation layer. Manual content curation is possible via editorial tooling but there is no algorithmic support whatsoever.
Directus provides a basic `?search=` query parameter that performs case-insensitive LIKE queries across string fields. There is no relevance ranking, typo tolerance, faceting, autocomplete, or semantic matching. This is filter-level search at best, not a search engine.
Directus has official Algolia and Elasticsearch Operations in the Marketplace, enabling Flows to create, update, delete, and search records in both platforms natively without custom code. The community extension `directus-extension-searchsync` has long supported both engines. This is a first-class integration path with documented patterns.
Directus has no native commerce module — no product catalog, cart, pricing, inventory, or order management. This is by explicit design. GitHub discussion #16778 confirms commerce logic is intentionally deferred to dedicated commerce platforms.
No official pre-built connectors to Shopify, commercetools, or BigCommerce with product picker UIs. Directus has a 'Built With Directus' PIM showcase for Shopify showing an architecture pattern. The Zapier beta integration and n8n verified node enable Shopify automation workflows, but these are iPaaS bridges without product picker UI or live data federation. No Marketplace connector for commercetools, BigCommerce, or Salesforce Commerce Cloud.
Directus's flexible schema builder handles product-specific field patterns well — rich text, images (via File Library), relational attributes, translations, and variant structures are all native. Multiple 'Built With Directus' showcases demonstrate fashion/e-commerce PIM architectures. This is a generic content model repurposed for products rather than a product-specific content type system.
Directus Insights provides customizable dashboards over data stored in the Directus database — this is data visualization of your own content data, not content performance analytics. There is no tracking of consumer page views, engagement, or content health. A community Marketplace extension adds API activity and storage usage metrics. No content performance loop exists.
No official GA4, Segment, or Amplitude first-party integrations. However, the official Zapier beta integration and n8n verified node provide documented iPaaS paths to analytics platforms without requiring custom webhook code. Directus Flows can also emit webhooks on content operations. This is iPaaS-mediated integration, not a native analytics connector, but materially easier than raw webhook-only patterns.
Multi-site is achievable via a single Directus instance with RBAC and row-level permissions (dynamic variables scope data per site/brand). A Directus TV episode ('Mission: Multisite CMS') documents the architecture pattern. However, there is no dedicated multi-site UI module, no shared component library tooling, and no centralized governance dashboard — this is a DIY RBAC pattern, not a native multi-site product.
Directus provides native field-level translations via a Translations relational field that auto-generates junction tables per collection. All locales are managed within a single item view; editors can work on individual locales without affecting others. The admin UI itself supports 55 languages. The v11.17 translation collections auto-generator and v12.0 redesigned Studio carry this forward; ISO locale codes are supported throughout.
Crowdin has an official first-party integration with documented tutorial and a Crowdin Marketplace app for auto-syncing source strings and translations. Localazy also has an official plugin. However, Phrase (Memsource), Smartling, and Lokalise have no official first-party integrations — those require custom Flows/webhooks. Two official TMS integrations is solid for a tier-2 open source platform.
Multi-brand management is handled through Directus RBAC — roles per brand, row-level permissions, custom access policies. There is no dedicated brand governance module, no cross-brand approval workflow tooling, and no global style/policy enforcement dashboard. Organization-level management without cross-brand policy enforcement.
Directus File Library provides folder hierarchy, automatic EXIF/IPTC/ICC metadata extraction on ingest, custom metadata fields, bulk operations, tag-based browsing, and RBAC-based file/folder access control. Content Versioning tracks item deltas but this is not file-level asset versioning. No rights management, expiry/licensing controls, or usage tracking across content. A solid mid-tier asset library, not a purpose-built DAM.
Directus performs on-the-fly image transforms server-side via Sharp: resize, crop, fit modes (cover/contain/inside/outside), WebP/AVIF auto-format, quality, blur, rotate, focal point preservation, and configurable transform presets. Transformed images are cached after first generation. No built-in CDN — you bring your own; Cloudinary storage adapter adds CDN capabilities. Strong transforms without native global delivery.
No native video hosting, transcoding, or adaptive streaming. Video is treated as a generic file upload with no thumbnail generation, caption management, or bitrate delivery. A community extension (Transcode Video Operation) provides HLS conversion and thumbnail extraction but is third-party and requires self-hosted setup. Common pattern is integrating Mux, Cloudflare Stream, or Bunny.net externally.
Directus has two partial visual editing capabilities: Visual Editor (in-place editing via `data-directus` HTML attributes — renders your frontend in an iframe for click-to-edit fields, requires developer integration) and Dynamic Page Builder (M2A schema-driven block assembly — non-technical users assemble pages from pre-defined block collections, no drag-and-drop layout). The v12.0 Studio redesign improves non-technical UX but does not add a Webflow-style drag-and-drop layout designer; visual editing still requires developer setup of the `directus/visual-editing` library.
v12.0 (June 2026) shipped native draft and published states: editors work on drafts by default, publishing is an intentional action, and version indicators appear throughout the Studio — previously this required a DIY status-field pattern. Configurable multi-step routing still relies on Flows + field-level permissions (status gates, pause-and-wait approval callbacks, notifications). Directus states the native publishing infrastructure is the foundation for upcoming scheduled releases and advanced approval workflows, but those are not yet shipped, and there is still no native task assignment, SLA dates, or visual workflow designer.
Scheduled publishing is achievable via Flows with a CRON trigger: a schedule trigger runs at configured intervals, finds items where `date_published` ≤ NOW, and updates status to published — polling-based, not exact-timestamp. A calendar layout view exists in Data Studio for date-based content browsing. v12.0 lays the foundation for native scheduled releases but they are not yet shipped. A third-party Schedule extension adds a scheduling UI with start/end dates. No native one-click 'Publish at...' UI, no atomic release bundles, no embargo/expiry in core.
Native collaborative editing shipped in v11.15 (February 2026): field-level locking (fields lock while another user is editing), real-time presence indicators (user avatars showing who is active on the page and which field they're in), WebSocket-based sync, Redis support for clustered multi-instance deployments. Works across collections, file library, and relational fields. No native inline commenting or @mentions — activity log tracks changes but is not threaded discussion.
No native form builder in Directus. The recommended pattern is to model forms as Directus collections (fields define form fields, a submissions collection stores responses) and render the form in a custom frontend. There is no WYSIWYG form builder, no conditional logic engine, no CAPTCHA integration, no progressive profiling, and no form analytics in core. No mature community form builder extension exists.
Directus Flows can send transactional emails via SMTP as a built-in operation. No official pre-built connectors to Mailchimp, HubSpot, Marketo, or Brevo exist in the Marketplace. The Zapier beta integration and n8n verified node provide iPaaS paths to ESPs without custom code, marginally improving the story over pure webhook-based integration. Still no subscriber list sync, email template builder, or campaign orchestration in core.
No native marketing automation capability. Directus Flows is a general-purpose content workflow automation engine (content events → HTTP calls, emails, scripts) — it is not a marketing platform with lead scoring, drip campaign orchestration, behavioral triggers from visitor activity, or lifecycle stage management. Not comparable to HubSpot or Bloomreach's built-in automation.
No native CDP, no official Segment/mParticle/Tealium/Bloomreach CDP integration. Directus Flows can emit webhooks to external systems on content events, enabling custom event streaming to a CDP. No unified customer profiles are available within the CMS, no audience sync for personalization, and no real-time identity resolution. Zapier/n8n provide iPaaS paths but no first-party CDP connector exists.
Directus has an in-app Marketplace backed by the npm registry covering 7 extension types (interfaces, displays, layouts, modules, panels, hooks, operations). The official directus-labs/extensions GitHub repo provides experimental first-party extensions. Directus now has an official integrations documentation section with guides for n8n, Clay, Zapier (beta), Vercel, Netlify, and Framer — showing ecosystem maturation beyond the Marketplace. The Zapier beta integration alone opens 6000+ app connections. Still smaller than Contentful or Storyblok's ecosystems but growing meaningfully.
Directus Flows provides a comprehensive event-driven automation engine: 5 trigger types (Event Hook on any collection CRUD/login/error, inbound Webhook, Schedule/CRON, Another Flow, Manual button), HTTP Request operations for outbound calls. v11.16 added a Deployment module with real-time webhook status for Vercel/Netlify deployments and role-based deployment access. Official Zapier triggers and n8n trigger nodes now provide documented event-driven integration paths. No native Kafka/EventBridge/Pub-Sub streaming; no signed payload verification confirmed.
v12.0 (June 2026) made draft a default native state — editors work on drafts and publish intentionally, with version indicators across the Studio — strengthening the draft/preview story on top of existing Live Preview (configurable preview URL patterns per collection with dynamic {id}/{slug} tokens, Next.js Draft Mode integration, Content Versioning + named-version preview) and the Visual Editor's iframe in-place editing. v11.16 added global draft versions. Preview URLs can be shared with stakeholders. Still no branch-per-environment workflow or built-in multi-channel preview console.
Directus has one of the most granular permission systems in the headless CMS space: custom roles with multiple Policies applied additively, collection-level CRUD+share permissions, field-level read/write access per role, row-level security with dynamic variable filters, field presets and validation per role, IP/CIDR allowlisting per policy, native SSO (OAuth2/OIDC/LDAP/SAML), built-in 2FA. Note: v12.0's MSCL license now gates SSO and custom permission rules behind a paid license for orgs over $5M revenue / 50 employees — the capability remains but is license-enforced. No SCIM user lifecycle provisioning keeps this from 80+.
Directus exposes both REST and GraphQL with documented behavior parity — a single query can retrieve multiple related data points via either protocol — and the directus.io/docs/api reference is comprehensive with REST, GraphQL, and SDK examples in every endpoint section. The v12.0.0 line (and v12.0.1/v12.0.2 patches, June 2026) shipped fixes for aliased relational fields across GraphQL queries, fragments, and REST, continuing the GraphQL stability work from v11.17. No built-in interactive playground ships with the product (third-party GraphQL explorers required), keeping it below 85.
Directus Cloud runs on AWS with Redis-based distributed caching, CDN asset delivery, and multi-AZ auto-scaling, and recent releases added REDIS_NAMESPACE configuration plus configurable import timeout/concurrency tunables. However, public documentation on specific rate limits, API call-per-second ceilings, or documented entry-count scale limits remains sparse, and self-hosted deployments inherit whatever infrastructure the operator configures. Adequate for most workloads but lacks the explicit performance guarantees that tier-1 SaaS CMSes publish.
The official @directus/sdk on npm is TypeScript-first, modular, and dependency-free with strong type safety. Beyond JavaScript/TypeScript, all other language SDKs (Python, PHP, Go) are community-maintained, not official. This holds the score in the 50–55 range — one excellent official SDK but no multi-language official coverage matching what tier-1 headless CMSes publish.
Directus has dedicated integration guides covering native Vercel and Netlify deployment modules (with real-time build status), Zapier (beta) opening thousands of app connections, an n8n community node for workflow automation, Clay for data enrichment, and Framer for bidirectional CMS sync, with deployment integrations surfacing provider dashboard links. The ecosystem is broadening beyond UI/workflow extensions but still lacks pre-built integrations for commerce, DAM, and analytics categories.
Directus has a comprehensive extension system covering custom API endpoints, server-side hooks (database events, schedules, lifecycle), App Extensions (interfaces, displays, panels, modules, layouts, themes), Operations for Flows, and a CLI that scaffolds every extension type, with Themes formalized as an extension type and a Marketplace for publishing. Under the v12 MSCL license, connecting custom/self-hosted LLMs is now a licensed feature — a minor gating — but the core extension framework remains unrestricted and runs in the same environment as the main application with direct service access.
Directus supports SSO via OAuth 2.0, OIDC, LDAP, and SAML 2.0, plus MFA and API token management, and v11.17 added OpenID/OAuth2 cookie security attribute configuration. With the v12 MSCL license (June 2026), SSO is no longer in the free Core tier — it now requires a Team or Enterprise license (or the Open Innovation Grant for orgs under $5M revenue / 50 employees) even on self-hosted, where it was previously freely configurable via environment variables; unlicensed instances lose SSO login after the 30-day grace period. SSO is functional and available on the mid-tier Team plan, but the new license enforcement on self-hosted adds friction, lowering the score.
Directus v11 introduced a Policy-based additive permissions system on top of RBAC, with permissions scoped to collection + item + field level, custom filter rules for read and write access, content-instance-level access control, and default value injection — one of the most granular permission models in the open-source CMS space. The granularity is unchanged in v12, but under the new MSCL license custom permission rules are now a licensed feature gated behind Team/Enterprise (or the Open Innovation Grant) for orgs over the free thresholds, so the most powerful permissioning is no longer freely available, trimming the score from its prior peak.
Directus Cloud achieved SOC 2 Type II certification in July 2025; GDPR is documented and AWS underlies the cloud (which itself holds ISO 27001 and SOC 2 Type II). EU data residency is not explicitly advertised, no HIPAA BAA is offered, and Directus does not hold its own ISO 27001. This places Directus in the SOC 2 Type II + GDPR tier without ISO 27001 or HIPAA, capping the score in the high 60s.
The 2026 advisory stream continued past the four April HIGH-severity issues, with further CVEs disclosed including CVE-2026-35408 (COOP-header SSO interception, CVSS 8.7), CVE-2026-39943 (plaintext token/key disclosure in revision records), CVE-2026-35409 (SSRF bypass via IPv4-mapped IPv6), and several moderate open-redirect and enumeration fixes, on top of the 2025 CVSS 9.3 critical (CVE-2025-55746). Disclosure and patching are active and responsible (security@directus.io, researcher credits), but there is still no traditional paid bug bounty — only a Key Contributors recognition program — and the recurring high-severity pattern holds the score at 50.
Directus remains source-available with official Docker images on Docker Hub and GHCR for full self-hosted deployments on any infrastructure, alongside Directus Cloud (managed SaaS on AWS), and v12's MSCL license converts each version to GPLv3 after four years. However, v12 replaced the permissive BSL honor system with active license-key enforcement: the free self-hosted Core tier is now capped at 3 user seats / 25 collections / 5 flows, and larger organizations need a paid commercial license (or the Open Innovation Grant). Deployment flexibility is still maximal, but self-hosting is no longer freely unlimited, pulling the score down from the top of the band.
Enterprise Cloud offers a minimum 99.9% uptime SLA (99.99% available under custom enterprise agreements with dedicated single-tenant servers and region selection), and status.directus.cloud provides public transparency — reporting 100% uptime across April–June 2026. Self-service cloud customers receive no uptime guarantee, and the Starter tier retirement (Nov 2025) narrowed cloud options, so the absence of any SLA for non-enterprise cloud caps the overall score in the low 60s.
Directus Cloud uses AWS with multiple availability zones, Redis distributed caching (with namespace control), auto-scaling, and a global CDN, while Enterprise Cloud runs on dedicated single-tenant servers with no hard limits on users, collections, or data volume and configurable import timeouts/concurrency. Documented benchmarks, API call-per-second ceilings, and named hyperscale enterprise references remain unavailable, holding it in the upper-60s.
Directus Cloud offers automated backups, and self-hosted deployments can use S3-compatible automated backups; schema snapshot/apply commands enable schema version control and the migration module supports instance-to-instance migration. However, no public RTO/RPO documentation exists for Cloud, and multi-region failover details are not advertised outside Enterprise discussions, holding the score in the upper-50s.
Directus runs fully locally via Docker Compose with official images — developers get a complete instance including Data Studio and API on localhost — and the extension CLI scaffolds every extension type, with v11.17 having improved local build performance via tsdown's oxc-transform. The workflow remains Docker-based without a lightweight emulator mode, capping the score in the low 70s.
Directus supports schema snapshot/apply for CI/CD schema promotion, and the migration module enables instance-to-instance migration with compatibility checks, while native deployment modules integrate with Vercel and Netlify (with provider dashboard links and real-time build status) and run migrations automatically during deployment. Branch-per-PR content environments and automated migration rollback tooling remain unsupported natively, capping the score below 70.
docs.directus.io is comprehensive and well-structured with REST, GraphQL, and SDK examples across every endpoint, plus a dedicated integrations section providing step-by-step guides for n8n, Zapier, Vercel, Netlify, Clay, and Framer, and thorough getting-started and extension-development content. No interactive API playground ships with Directus (third-party tools required), holding the score below 80.
The official @directus/sdk is TypeScript-first with comprehensive type definitions covering the full API surface and IDE IntelliSense, and v11.17 migrated collab types into @directus/types. Schema typing still requires manually defining types or community tools (directus-extension-ts-typegen, directus-typescript-gen) — no first-party code-generation CLI auto-generates types from the content model, capping this below 80.
Directus shipped its first major version cycle since v11, releasing v12.0.0 GA on 2026-06-15 after rc.1 (May 29) and rc.2 (Jun 5), with v12.0.1/v12.0.2 patches following within days. The v11.17.x line continued weekly through Apr 2026, so cadence spans both steady minors and a coordinated major. Higher than before because a real major version cycle — the prior ceiling reason — is now demonstrated.
Directus maintains a structured docs changelog at directus.io/docs/releases/changelog organized by version, distinguishing improvements from breaking changes, and the v12 release was accompanied by a dedicated migration guide and license FAQ. Monthly community changelog recaps with video continue. Not higher because automated migration codemods for extension authors are still not provided.
Directus operates a public roadmap at roadmap.directus.io using Productlane with community feedback capability, and the v12 direction (editorial workflows, MCP/OAuth 2.1, AI translations) was communicated ahead of GA. Not higher because it lacks granular milestone dates or weighted community voting.
Directus correctly reserved its breaking changes for a major bump (v11→v12): VResizeable deprecation, status→archived, and main→published rename (with backward compatibility maintained), all documented in the breaking-changes section, plus a 30-day grace period for newly license-gated features. Still no automated codemods for extension authors and no formal 12+ month deprecation windows. Appropriate semver hygiene offset by the absence of migration tooling.
Directus has ~35k GitHub stars, 4.7k+ forks, 10k+ Discord members, and claims 10M+ total installations. The 20K+ star tier warrants 75+, but Discord size is moderate relative to Strapi (~70k stars) and npm monthly download volume for @directus/sdk remains modest. Steady but not accelerating growth.
Engagement remains active via monthly changelog discussions, Discord, the Discourse forum, and Productlane feedback, with core-team participation. However, the v12 MSCL relicensing with active license enforcement triggered notable friction — Reddit/self-hosted threads express frustration over feature-gating (SSO, custom permissions, AI) and some users are openly weighing alternatives. Lowered to reflect souring community sentiment despite high baseline activity.
Directus maintains 55+ global partners with a tiered certification system, a public agency directory, revenue sharing, and exclusive training. Third-party agency roundup articles validate the ecosystem. However, no major global SIs (Accenture, Deloitte, Valtech) are listed, and the partner count remains modest compared to enterprise platforms.
Directus has Udemy courses, a dedicated learning site (learndirectus.com), official Directus TV tutorials, and expanded integration documentation, plus multiple 2026 comparison articles featuring it prominently. The v12 release also generated fresh third-party coverage and licensing explainers. Still does not reach Strapi's content density but improving.
Directus is recognizable in the developer community via its GitHub presence (~35k stars) and npm ecosystem, with a handful of Directus-specific LinkedIn job postings and agencies offering dedicated Directus developer hiring. The partner certification program adds a formal credential pathway. Not higher because it does not appear in the Stack Overflow Developer Survey or major analyst reports.
The v12 release expands the platform story (editorial workflows, MCP/OAuth 2.1 for AI agents, redesigned Studio) and the MSCL model is an explicit monetization push, but the relicensing introduced churn risk: some self-hosters are evaluating Pocketbase and Payload rather than upgrading. Enterprise logos (Adobe, AT&T, Bose, Tripadvisor, U.S. Navy) and 10M+ claimed installs remain, with ~55 employees. Lowered to reflect migration friction partly offsetting feature and commercial momentum.
Directus raised ~$19.5M total ($7M Series A in Nov 2022 led by True Ventures) with no new rounds in 2025–2026, and the v12 MSCL relicensing is explicitly framed around 'long-term sustainability' — a revenue-driven monetization move rather than a growth round. ~55 employees maintained and monthly shipping continues. Stable but modest: the relicensing signals a push for commercial revenue without fresh capital.
Database-first architecture and the growing integration/AI story (MCP, n8n, Vercel, Netlify) remain clear differentiators, but the v12 move from BSL to the more restrictive MSCL weakens the open-source positioning precisely as rival Payload went MIT-licensed, pushing some buyers toward Payload and Pocketbase. Still no analyst recognition (no Gartner MQ or Forrester Wave). Lowered because the relicensing erodes the open-source advantage relative to direct competitors.
Directus holds a G2 rating of 4.9/5 (~50 reviews) and Capterra 4.5/5 (60 reviews), with users praising flexibility, the SQL-native approach, and open-source extensibility. However, the rubric penalizes strong negative community sentiment: the v12 relicensing drew vocal frustration over feature-gating and license enforcement on Reddit/HN, not yet reflected in the slower-moving review sites. Lowered from the prior score to capture this recent backlash on top of the existing low-review-count ceiling.
After the v12 (June 2026) restructure, Directus publishes a clearer tier ladder: free Core (self-hosted) / Core Cloud at $99/mo, a now-public Team tier at $499/mo annual ($599/mo monthly), and a sales-gated Enterprise tier (third-party sources cite a ~$15,000/yr floor). Publishing the Team price is an improvement over the old Professional-then-custom gap, but Enterprise (SCIM, offline mode, dedicated infra) remains contact-sales only.
The v12 tiering created a steep free-to-paid cliff: the $99/mo Core Cloud tier is now hard-capped at just 3 seats and 50 collections, and the next real tier (Team, with SSO and custom permissions) jumps to $499/mo — a ~5x step. Limits remain hard caps rather than metered overages, which is predictable but inflexible, and the $5M revenue + 50-employee self-hosted threshold still creates uncertainty for growing startups. Lower than before because the entry tier was materially narrowed while the upgrade cost rose.
v12 introduced active license enforcement (MSCL-1.0), reversing the v10.1.0 'full feature parity' posture that previously justified a high score. SSO now requires the Team tier ($499/mo) and is not available on Core, custom permission rules on access policies are ignored without a license, and SCIM, offline mode, and custom/self-hosted LLM features are gated to Enterprise. Gating SSO and custom roles behind expensive tiers is exactly the problematic pattern the rubric penalizes — though core data modeling, APIs, and basic RBAC remain free.
A monthly billing option returned with v12 — Team is $599/mo on a rolling monthly basis vs. $499/mo on annual commitment — and the Innovation Grant gives qualifying orgs (<$5M revenue, <50 employees) free use. Existing customers were protected during the transition (monthly plans grandfathered six months, annual honored to renewal). However, monthly flexibility only begins at $499+/mo, and there is no published dedicated startup-discount program beyond the grant.
Self-hosted Core remains genuinely free with commercial use permitted, and the Innovation Grant extends full free use to orgs under $5M revenue and 50 employees. But the v12 free Core tier is now explicitly capped (3 seats, 50 collections) and subject to active license enforcement via registration keys, with SSO unavailable and custom permission rules ignored unless licensed. Still a permissive, commercially usable free path, but more feature-restricted than the pre-v12 model.
Directus Cloud provisions in roughly 90 seconds and one-click deploy templates (e.g. Railway) provide a fast self-hosted path, with the dependency-free @directus/sdk and framework tutorials (Next, Nuxt, Astro, SvelteKit) keeping first-API-call under 30 minutes. The v12 redesigned Studio and native draft/publish workflow further smooth onboarding for non-technical users. A registration-key step adds only trivial friction.
Community signals continue to indicate standard headless CMS timelines — days to weeks for typical projects — with auto-generated REST/GraphQL APIs reducing custom backend work. The v12 native draft/publish experience and redesigned editorial Studio streamline common content-workflow setup. Sustained release cadence through v12.0.2 (June 2026) reflects a healthy, actively maintained platform.
Directus is built entirely on mainstream technologies — Node.js, TypeScript, Vue.js, standard SQL (PostgreSQL/MySQL/SQLite), REST, and GraphQL — with no proprietary DSL, query language, or certification program. Native MCP support further aligns it with standard tooling. Any competent full-stack TypeScript developer can be productive after brief familiarization, keeping the premium over a generalist Node developer minimal.
Core Cloud at $99/mo bundles all infrastructure, while self-hosted needs only a container host and PostgreSQL (Redis is optional, required only for horizontal scaling), with Railway one-click deploy enabling ~$5–20/mo small setups. Typical production self-hosted on AWS/GCP without Redis runs ~$20–100/mo. Score reflects the additional infrastructure spend versus a pure-SaaS model for the most likely self-hosted deployment path.
Directus Cloud is fully managed with near-zero ops overhead, and single-container self-hosted is moderate — Docker plus PostgreSQL, with Redis only for scaling. v12's active license enforcement and registration-key model add a small new operational concern: keys must be maintained and the 30-day grace window or an expired/misconfigured license can disable SSO and custom permissions. Slightly lower than before to reflect that added license-management surface.
Lock-in remains low by design: Directus wraps your existing SQL database, so data lives in standard PostgreSQL/MySQL tables you define, schema is portable via /schema/snapshot and /schema/apply, and files sit in any S3-compatible store — removing Directus leaves data intact. Slightly below the prior score because v12 adds a soft dependency: above-threshold self-hosted users must maintain a paid license or lose SSO and custom permissions, even though raw data export stays trivial. MSCL versions also become GPLv3 after 4 years.
Directus maps closely to standard web development concepts: collections = database tables, fields = columns, items = rows, roles = access control, with REST/GraphQL exposed automatically and no proprietary query language. v12's explicit draft/published item states map to familiar CMS mental models rather than adding new abstractions. Slight complexity remains from system vs. user collections and the abstraction layer above the raw schema, keeping it just below the 75 threshold.
Structured quickstart, dedicated tutorials, and framework-specific guides for React, Nuxt, and Astro, plus directus-template-cli scaffolding and AI Assistant in-context help. The v12 launch added upgrade/licensing migration docs and a redesigned Studio, but introduced no formal certification program or in-app guided tours, keeping onboarding depth below Contentful or Sanity. The new MSCL upgrade path is one additional thing existing users must learn, offsetting the expanded docs surface.
Standard REST and GraphQL APIs with no proprietary query language; official JS/TS SDK handles auth, collection access, and type generation, and works with Next.js, Nuxt, Astro, and SvelteKit via official starters. v12 makes JSON dot-notation path filtering native at the database level, further aligning with conventional data-access patterns. Node.js backend is universally familiar; no proprietary templating or rendering engine.
The official directus-labs/starters repo provides starters for Next.js, Nuxt, Astro, and SvelteKit, and directus-template-cli init supports frontend/template selection with content model and example content. Quality is good but not as polished or actively maintained as Sanity's or Contentful's starter ecosystems, with community starters filling some gaps. No v12-specific change to the starter lineup.
Self-hosted Directus still needs a .env with DATABASE_CLIENT + connection vars, SECRET, ADMIN_EMAIL, and ADMIN_PASSWORD (6–10 vars for production). v12's MSCL relicense adds new configuration friction: paid features (SSO, custom permission rules, custom/self-hosted LLM connections) now require a software license key with active enforcement after a 30-day grace period, and PUBLIC_URL must be set to a valid absolute URL (the default `/` is rejected during activation). The free Core tier still needs no registration and runs air-gapped, but the added licensing surface and previously-free features now gated pull this down from 64.
Directus wraps your own database, so schema changes operate at the DB level with no proprietary field-count limits; schema migration endpoints enable environment promotion with diff and dry-run previews. v12's AI-assisted translations build on the v11.17 translations generator to further automate i18n collection/field creation. Renaming or changing field types still carries standard database-level risk, though tooling helps inspect changes, keeping it in the low-risk-with-tooling band.
Directus offers a Visual Editor (@directus/visual-editing) where editors hover and click to edit content directly on the frontend preview, with field-level permission and version checks. v12 makes draft/published a first-class native workflow — new items open in draft by default and publishing is an explicit action, with version selectors and publish actions surfaced as core Studio UI — reducing the custom wiring previously needed for draft-mode preview. Still requires installing the library and adding data-directus attributes for visual editing, so it is well-documented but not fully plug-and-play.
Generalist TypeScript/JavaScript developers can be fully productive with standard REST/GraphQL skills — no certification exists or is needed. Some Directus-specific knowledge helps for Flows, custom extensions, and Hooks/Operations, but these are optional and follow conventional JS patterns. v12 adds licensing/key management as a mild ops consideration rather than a specialized skill; the Visual Editor uses standard data attributes, not a proprietary framework.
A solo developer can realistically build and deploy a production Directus project: Directus Cloud removes infrastructure concerns, self-hosted Docker Compose is a one-file setup, and one-click Vercel/Netlify deployments reduce the ops surface. Auto-generated APIs and the permission system let one person own content modeling, API, auth, and frontend. The v12 license-key step is a minor addition that does not change the minimum viable team.
v12 delivers a native editorial workflow that materially reduces post-go-live developer involvement: explicit draft/published states with drafts opening by default, intentional publishing, and a redesigned Studio surfacing draft indicators, version selectors, and publish actions for non-technical users. Combined with collaborative editing, live presence, the Visual Editor, and v11.17 deployment-module RBAC (content teams trigger Vercel/Netlify builds without full admin), editors self-serve far more of the publish workflow. Structural/schema changes still require developer access, and advanced approval workflows rely on custom permission rules that v12 now gates behind a paid license, capping the gain.
The v12.0.0 major release (Jun 10, 2026) makes upgrades materially harder than the clean v11.17.x cadence: operators must evaluate licensing, potentially convert SSO users to email/password, flip the now-default `IP_TRUST_PROXY=false` if behind a reverse proxy, repoint monitoring off the newly auth-restricted `/server/health`, and migrate theme/extension code (shell scope, removed v-button `rounded`, deprecated VResizeable). The non-semver risk the prior score flagged is now realized as a multi-step v11→v12 migration. Not lower because most data-layer changes (status→archived boolean, ?version=published) are backward-compatible and the API upgrade itself remains Docker-image-swap based.
Patch velocity remains good — v12.0.1 (Jun 11) and v12.0.2 (Jun 12) shipped fixes within days of v12.0.0, and no new advisories have appeared since the April 2 batch. v12 also hardens defaults (`IP_TRUST_PROXY=false` against IP spoofing, `/server/health` no longer exposed to anonymous callers), a modest security-posture gain. Score stays well below peers because the historical advisory volume (15+ in ~6 months, including the April High-severity batch fixed in 11.17.x) still dominates the baseline.
v12.0.0 relicensed Directus from BUSL-1.1 to the source-available MSCL-1.0-GPL and turned on active license enforcement: self-hosted instances default to a Core tier where SSO logins stop working, custom permission rules on access policies are ignored, and custom/self-hosted LLMs and AI translations are disabled — enforced after only a 30-day grace period on upgrade. This is a textbook vendor-forced cutover on the vendor's timeline that strands features production self-hosted users already depend on, the most severe forced-migration event in Directus's recent history. Scored near the dataset floor for this dimension because enforcement is immediate, the grace window is short, and the changes are commercially coercive rather than merely technical.
v12 continued the monorepo consolidation and active CVE hygiene seen across the 11.17.x line, with the API advancing to @directus/api@36.x. The Docker-first runtime (Node, database, optional Redis/search/CDN) is unchanged in shape, and the major-version dependency jump was absorbed without introducing new external service requirements. No movement: dependency surface and tending quality are stable versus the prior assessment.
v12 reworks the health surface: `/server/health` is now cached and shared across multi-instance deployments and restricted to authenticated users (404 for anonymous), with `/server/ping` designated for liveness and new `HEALTHCHECK_ENABLED`/`HEALTHCHECK_SERVICES` env vars to toggle or scope checks. The added granularity and multi-instance correctness are genuine operational improvements, but they require reconfiguring existing health probes on upgrade. Still no native APM or webhook-delivery dashboards, so external monitoring remains mandatory and the score moves only incrementally.
v12 adds modest content-governance guardrails — published items in versioned collections are now locked and must be edited through a draft version, reducing accidental edits to live content — though it also removed the extra confirmation step from the publish flow, slightly raising accidental-publish risk. JSON repeater inline editing and keyboard date entry (v12.0.1) smooth day-to-day editing. Automated content hygiene (orphan detection, broken-reference alerts, content expiry) is still absent, so the net change is neutral.
v12 brings no major performance-management step change beyond the multi-instance health-check caching, which trims redundant probe load. The tunable surface established in 11.17.x (ASSETS_CACHE_REVALIDATE ETag/must-revalidate headers, GraphQL resolver dedup, Redis namespace control, useItems count-request reduction) carries forward. Self-hosted operators still own Redis, CDN, and database tuning, so the score holds steady.
Support structure is unchanged: open-source self-hosted users rely on community channels with no formal SLA, while Premium support ($300/month add-on) and Enterprise Cloud provide 24/7 critical-issue support and a dedicated CSM. The v12 licensing model now formalizes paid tiers but does not alter support responsiveness or accessibility. Meaningful support remains locked behind paid plans, keeping Directus mid-range on this dimension.
Discord, GitHub Discussions, and issue triage remain active with consistent team participation, and the release cadence stayed brisk (v11.17.0 through v12.0.2 across ~12 weeks). The modest reduction reflects the relicensing-and-enforcement event in v12, which converts a permissively open project into a source-available one with paid gating — a move that erodes the open-source community value proposition and carries real risk of contributor and goodwill attrition. Still clearly above open-source headless peers (Strapi ~48.7) on participation and responsiveness.
Velocity remains a strength: v12.0.1 and v12.0.2 each shipped real bug fixes (batch-update revision snapshot mismatch, user-count with conflicting policy/role) within one to two days of the v12.0.0 GA, and the 11.17.x line patched the April advisory batch promptly. The non-semver model still bundles fixes into version bumps rather than isolated hotfixes, adding upgrade friction for conservative self-hosted operators. Held steady at mid-range as the responsive cadence offsets the absence of a dedicated hotfix-branch model.
Directus v12 (June 2026) shipped a comprehensively redesigned Studio — reworked navigation, headers, sidebars, and action patterns explicitly aimed at non-technical users — plus version indicators inside the visual editor so editors always know which draft/published version they are editing. Visual Editing (GA April 2025) still enables in-place editing across Nuxt, Next.js, and Astro frontends, and the M2A Dynamic Page Builder lets editors assemble pages from predefined block types with drag-and-drop reordering. The Framer bidirectional content sync remains designer-focused. The v12 editor refresh improves the marketer editing experience but does not add layout authoring — developers must still create block schemas and component definitions, so marketers edit and compose from existing blocks but cannot author new layouts from scratch. Remains at the low end of the edit-but-not-create tier, nudged up slightly by the redesigned Studio.
Directus v12 introduced a native draft & publishing workflow — explicit draft/published states when content versioning is enabled, with publishing as an intentional action — and replaced the collection status field with a native archived boolean, bringing the platform closer to a real publish/archive lifecycle. The Releases feature still batches cross-collection content for simultaneous publish, and Flows can automate scheduled email sends. However there is still no native content calendar, multi-channel campaign coordination, campaign analytics, or audience segmentation. Scores at the low end of the headless CMS range, lifted slightly by the v12 publish lifecycle.
The first-party @directus-labs/seo-plugin provides metadata management, focus keyphrase analysis, OG image settings, sitemap configuration (change frequency, priority), canonical URL support, custom meta tags, and JSON-LD/Schema.org output. Redirect management remains manual or server-level. v11.17 adds a utility endpoint and UI for generating translations collections, lowering setup friction for multilingual SEO; v12 did not extend SEO tooling. The plugin covers the main SEO bases but requires manual setup per collection and falls short of automated SEO audit suites.
No native form builder, CTA management, lead capture, or UTM/conversion tracking in Directus core through v12.0.0. All performance marketing tooling must come from the frontend or external integrations. The official Zapier (Beta) and n8n integrations could bridge lead data to external form/CRM tools, but Directus itself provides no performance marketing features. Scores at the floor for this item.
No native personalization engine, audience segmentation, or behavioral targeting in Directus core. A 2025 blog post ('Is Your CMS Ready for AI & Personalization?') positions Directus as the content backend that plugs into third-party personalization layers (Optimizely, LaunchDarkly, Segment) via API but does not deliver them natively. The MCP server and AI Assistant enable content creation and schema operations but cannot route personalized content to end users. Scores near the floor for headless CMS.
No native A/B testing, content variant management, or experimentation framework in Directus through v12.0.0. The platform provides no experiment scheduling, statistical reporting, or winner-selection tooling. Teams must wire in external experimentation platforms (Optimizely, LaunchDarkly, VWO) via the API. Scores at the absolute floor.
Content velocity improves materially in v12: a native draft & publishing editorial workflow (explicit draft/published states, version selectors, and publish actions as core Studio UI) plus a comprehensively redesigned Studio aimed at non-technical users, layered on v11.15 real-time collaborative editing (field-level locking, live presence), the Deployments module (Vercel + Netlify build triggers for non-admin roles), Releases for batching cross-collection content, AI-assisted translations, and the v11.17 translation quick-setup utility. Once block templates are defined, editors clone and compose pages quickly with a clearer draft-to-publish path. The ceiling remains developer dependency for new layout types.
Directus's headless API-first architecture makes multi-channel delivery a core strength. Structured content models serve web, mobile, email, digital signage, and in-app via REST and GraphQL APIs. The Releases feature batches cross-collection content for simultaneous or scheduled multi-channel publishing. The Framer bidirectional content sync adds another structured channel delivery path. Flows enable webhook-based event delivery to downstream channels. Fortuna Entertainment Group case study shows 70% faster cross-channel content deployment across web and mobile for 3 gaming brands. The limitation is that channel-specific renditions must be implemented in each consuming application.
No native analytics dashboards or content performance metrics within the Directus Data Studio. Analytics integration is entirely frontend-handled — GA4, Adobe Analytics, or similar tags are added to the consuming application. Directus Flows can emit events to analytics platforms on content publish/update, and the official n8n and Zapier integrations provide structured paths to sync content events to analytics tools, but Directus itself collects no content performance data. No pre-built analytics connectors as of v12.0.0.
Brand consistency is enforced structurally through the M2A Dynamic Page Builder — block types define what components exist, limiting arbitrary layout deviations. Directus Data Studio supports full white-labeling (custom logo, colors, module navigation) for per-brand admin experiences. However, there are no platform-level brand guardrail features — no locked design tokens, no restricted override palettes, no built-in validation that content conforms to brand guidelines. Component-based consistency without enforcement.
The @directus-labs/seo-plugin includes Open Graph and Twitter/X card management with preview and OG image settings. There is no native social scheduling, push-to-social workflow, UGC embed support, or social proof widget in Directus core or the official extension marketplace. The official Zapier (Beta) integration could bridge content publish events to social scheduling tools (Buffer, Hootsuite), but this is generic automation, not a first-class social feature. Social metadata is covered; social workflow is not.
Directus has a built-in file management system with folder organization, metadata tagging, image transformations (Sharp on self-hosted; CDN transforms on Directus Cloud), and multi-file associations per content item. v11.17 added bulk folder deletion from the files grid, improving large-scale asset cleanup, and introduced background data imports enabling large asset batches without blocking the interface. v12 shipped no material file/DAM changes. Not a full DAM — no rights management, expiry workflows, brand portals, or usage tracking across content. Scores in the mid-range of basic media library with transforms.
Strong native localization via Translations field on any collection, creating language-variant records. Directus v12 added AI-assisted translations (auto-translate content across languages from within the Studio) on top of the v11.17 utility endpoint and UI to generate translations collections and fields. The official Crowdin connector automates translation sync with auto-PR merges and WYSIWYG preview for translators, and Data Studio UI is localized in 64+ languages; timezone support aids scheduling across markets. The gap remains no locale-specific campaign variant scheduling, no regional compliance tooling (cookie consent per locale), and no market-level publish windows. Note v12's MSCL relicense gates AI Translations behind a paid license.
Directus has official integration guides for Zapier (Beta — connecting to thousands of apps including CRM, MAP, CDP, and ad platforms), n8n (dedicated Directus node with CRUD operations and trigger node for event-based automation to 400+ service nodes), and Clay (data enrichment and automated workflows). These move beyond the previous Flows-only webhook pattern to officially supported automation bridges. However, there are still no first-party native connectors to Salesforce, HubSpot, Marketo, or ad platforms in the Directus Marketplace through v12.0.0 — all MarTech connectivity is mediated through automation platforms rather than purpose-built integrations.
Directus explicitly markets a PIM solution (directus.io/solutions/product-information-management). Multiple production PIM deployments exist: fashion e-commerce (Fashioncloud/Salsify/ERP consolidation distributing to Shopify, Amazon, Zalando, Otto), Shopify PIM for industrial goods, T2 MarCom engineering data validation, and MightyHQ managing product and marketing data for multiple e-commerce brands. This is a generic modeling approach repurposed for products — no attribute inheritance, completeness scoring, or publish-readiness workflows — but validated by real-world deployments.
No native merchandising features — no category management UI, no promotional content scheduling tied to commerce, no cross-sell/upsell tooling, no search result merchandising. Directus is a data platform, not a commerce tool. Any merchandising logic lives entirely in the frontend or commerce platform.
Directus integrates with Shopify as a headless PIM via REST/webhook-based synchronization — documented case study for an industrial goods retailer syncing categories, tags, images, and translations. An official tutorial covers building an e-commerce platform with Next.js, Stripe, and Directus Automate. The official n8n integration provides a structured automation path to Shopify (n8n has dedicated Shopify nodes for CRUD on products, orders, etc.), improving the integration story from pure custom webhooks to automation-platform-mediated sync. No deep API federation or real-time bidirectional sync; integration remains mediated rather than native.
Editorial commerce is achievable in Directus through M2A page builder blocks blending article content with product references, and the fashion e-commerce PIM case study demonstrates editorial product presentation. MightyHQ manages product and marketing data together from one instance. However, there are no native shoppable content features — no inline product purchase CTAs, no lookbook component, no shop-the-look templates. Product embeds are possible but require custom frontend implementation; not a first-class authoring pattern.
No CMS-managed content in transactional flows. Directus has no native mechanism for injecting trust badges, shipping callouts, upsell banners, or post-add modals into commerce checkout flows. The Stripe integration tutorial covers order creation logic but not CMS-managed checkout content. All transactional content management lives in the commerce platform or requires custom frontend implementation.
Directus Flows can receive webhooks from commerce platforms (Shopify order events, Stripe payment_intent.succeeded) and trigger content-related actions — email sequences, status updates. The n8n integration provides a more structured path for post-purchase automation (n8n Shopify trigger to Directus CRUD operations), but this is still entirely custom. No native post-purchase templates, delivery tracking page management, or loyalty content features.
Directus's RBAC with field-level and row-level permissions enables account-specific content visibility (gated catalogs, segment-specific pricing display). The T2 MarCom case study shows B2B industrial data management with data validation frameworks for technical specifications. However, there are no purpose-built B2B features — no quote-request flows, no customer-specific pricing display components, no account-based catalog segmentation UI. B2B patterns are achievable but require custom schema and frontend design. Note v12's MSCL relicense ignores custom permission rules on the free Core tier, so row-level gating now requires a paid plan.
No native faceted search, content-product blending, or search landing page management in Directus. Teams integrate Algolia, Meilisearch, or Typesense via Flows (sync on item create/update) and build search UIs in their frontend frameworks. The n8n integration provides a more structured automation path for syncing content to external search engines. There is no out-of-the-box search analytics or synonym management.
Directus v12's native draft & publishing workflow (explicit draft/published states) improves pre-staging of promotional content for scheduled go-live, on top of content versioning and the Releases feature that batches promotional updates across collections for simultaneous publish. v11.17 timezone support for datetime fields improves scheduling accuracy for international promotions. However, there are still no native countdown timers, promo code messaging components, time-activated banners, or channel-specific targeting features. Scheduled publishing with a real draft/publish lifecycle is available; purpose-built promotional tooling is not.
Directus handles multi-storefront content via row-level tenancy (tenant_id + RBAC filter rules) on a single instance, allowing shared product content with storefront-specific editorial. The Fortuna Entertainment Group case study demonstrates 3 gaming brands across 5 markets served from one Directus instance. The fashion PIM case study shows content distributed to Shopify, Amazon, and Zalando from a single source. Multi-storefront is achievable but requires custom schema design; no native multi-storefront abstraction exists.
Directus supports image transformations (Sharp on self-hosted, CDN-backed transforms on Cloud), multi-file associations per product record, folder-based asset organization, and basic video file hosting. v11.17 added bulk folder deletion for large asset libraries. There is no native 3D model viewer, AR integration, image hotspot editor, 360-degree product views, or zoom functionality. Basic image galleries and video embeds achievable via custom frontend components.
Directus RBAC supports multi-author content at scale — different editors can own different content namespaces via role-based isolation. A custom marketplace schema (seller profiles as content types, product descriptions with seller ownership via row-level permissions) is achievable. However, there are no marketplace-specific features: no seller onboarding workflows, no content quality moderation queues, no review aggregation, no seller portal UI. Multi-author content is possible but not marketplace-specific.
Directus's Translations field on any collection supports locale-variant product descriptions, multi-language product attributes, and region-specific editorial. v12 added AI-assisted translations to auto-translate product content across languages, on top of the v11.17 utility endpoint + UI for generating translations collections and timezone support for locale-aware scheduling. The Crowdin connector automates translation sync for product content, and the fashion PIM case study distributes product content to Shopify, Amazon, Zalando, and Otto. No currency-aware content blocks or regional regulatory content tooling natively.
No native connection between Directus content and commerce conversion metrics. The Data Studio collects no revenue attribution data, content-assisted conversion tracking, or product content performance analytics. All commerce analytics live in the frontend analytics stack or commerce platform. Directus Flows can emit events on content publish but cannot correlate them with downstream conversion outcomes.
Directus retains deep RBAC for a headless CMS: field-level permissions, filter-rule-based row-level access, IP allow-lists, the v11 policy-based additive permissions model (composable permission sets decoupled from roles), and SSO via OAuth2, OpenID Connect, SAML 2.0, and LDAP. However, the v12 MSCL relicense (June 2026) moves the two controls most relevant to intranet scenarios behind a paid license: SSO no longer works on the free Core tier (users must convert to email/password), and custom permission rules on access policies are ignored on free Core. The depth remains best-in-class for a headless CMS on paid tiers, but the advanced access controls are now paywalled, narrowing the gap to SSO-gating peers. Dropped from prior best-in-class footing for this reason.
Directus v12 added a native draft & published editorial workflow (explicit states, version selectors, publish actions in the Studio) giving knowledge articles a real review-and-publish cycle, on top of content revision history with side-by-side comparison (v11.15), native collaborative editing with live presence, Flows-based approval workflows, global draft versions (v11.16), and comparison modal filtering (v11.17). The 'Mission: Internal Knowledgebase' Directus TV episode demonstrates a verification flow. However, there are still no purpose-built knowledge lifecycle features — no content expiry/review scheduling, no automated archival workflows, no stale content flagging.
Directus does not appear in any intranet comparison and has no native employee portal features — no news feed, employee directory integration, notifications for employees, social features, or personalized dashboards. The 'Built With Directus — Internal App' use cases show it used as a backend for custom-built internal tools, not as an off-the-shelf employee experience platform. The v12 Studio redesign improves the admin editing experience for non-technical staff but is not an employee-facing portal. Building a full employee portal requires extensive custom frontend development. Scores at the floor.
No native internal communications features — no company news feed management, no department announcement targeting, no read receipts, no acknowledgment tracking, no mandatory-read workflows. Directus can host news content in a custom 'posts' collection with Flows-triggered email notifications, but this is entirely custom infrastructure with no internal comms-specific UI in the Data Studio.
No native people directory or org chart features. Directus's flexible content modeling can represent employee profiles as content types with relational fields (skills, manager/team M2M), but there is no pre-built directory UI, no org chart visualization, no HR system integration (Workday, BambooHR), and no search-by-expertise feature. Building a basic employee directory via content modeling is feasible but entirely custom.
Directus v12's native draft & publishing workflow plus the new archived boolean improve staging and retiring of policy documents, on top of content revision history with side-by-side comparison, Flows-based approval workflows, and an activity log that tracks every create/update/delete with user, timestamp, and IP for audit trails. However, there are still no native policy management features: no mandatory acknowledgment tracking, no automated review/expiry reminders, no policy archival workflows with owner notifications, and no content ownership assignment for freshness enforcement.
No native onboarding content delivery features in Directus. Role-based content access via RBAC could theoretically restrict onboarding content to new-hire roles, and Flows could trigger onboarding sequences on employee record creation, but there are no structured onboarding journey templates, progressive disclosure mechanisms, task checklists, or HR-triggered new-hire portal patterns in the product or extension marketplace.
No native full-text or enterprise search in Directus Data Studio — built-in filter/search is limited to basic field-value matching. Teams integrate external search platforms (Algolia, Meilisearch, Typesense) via Flows sync on content publish. The n8n integration provides a more structured path for syncing content to external search engines, but there is no federated search across connected systems, no AI-powered relevance ranking, and no search analytics dashboard.
Directus Data Studio is a web application with responsive design, accessible on mobile browsers, but optimized for desktop admin use. There is no native mobile app for content editors or frontline workers, no offline support, no push notifications, and no kiosk/shared-device mode. Headless API delivery enables custom mobile apps for consumers but requires full custom frontend development. Scores at the low end of responsive-web-without-native-app tier.
No native LMS integration, micro-learning features, course assignment, completion tracking, or certification capabilities in Directus through v12.0.0. Learning content can be hosted as structured content types, but tracking, sequencing, and certification require an external LMS connected via API. No documented integration patterns with Cornerstone, Workday Learning, or similar LMS platforms.
Directus v11.15 added native real-time collaborative editing (WebSocket, field-level locking, live presence indicators) — but this is for content authors in the Data Studio, not for employee social interaction. There are no employee-facing social features: no comments or reactions on published content, no discussion forums, no peer recognition, no polls/surveys, no idea submission, no community spaces. The collaborative editing is an authoring tool, not a social layer for employees.
Directus has official integration guides for n8n (which has dedicated nodes for Slack, Microsoft Teams, Google Workspace) and Zapier (Beta — connecting to thousands of workplace tools). These provide structured automation paths for content-to-workplace-tool delivery beyond raw Flows webhooks. The MCP server (now using OAuth 2.1 in v12) allows AI assistants (Claude Desktop, Cursor) to interact with Directus content. However, there are still no native embedded content cards, no bot-driven experiences, and no single-pane integrations with workplace tools through v12.0.0 — all integration remains automation-platform-mediated.
Directus v12 introduces explicit draft/published states and replaces the collection status field with a native archived boolean, giving a clearer first-class archive concept, on top of content versioning, revision history with comparison view (v11.15), global draft versions (v11.16), and comparison modal filtering (v11.17). The activity log provides an audit trail of all content changes. However, there are still no automated review dates, no stale content flagging, no archival workflows with owner notifications, and no content expiry scheduling. Content lifecycle management remains largely manual — owners must proactively review and archive.
No internal content analytics in Directus. The activity log records admin actions (create, update, delete, login) but not content consumption or employee engagement metrics. There are no page view analytics, no department-level engagement dashboards, no failed search term reporting, no adoption dashboards for intranet ROI measurement. Content analytics must be implemented entirely in the consuming frontend application.
Directus supports multi-tenancy via row-level tenant_id filtering + RBAC policy scoping on a shared instance, and separate-instance-per-tenant for strict data isolation. Row-level isolation is functional and production-validated (multiple SaaS case studies: Saley, Comeata). Directus Cloud Professional projects run in isolated containers. v11.17 added Redis namespace control which improves multi-tenant cache isolation on shared infrastructure. However, there is no native multi-tenant architecture — no built-in tenant provisioning, no schema-per-tenant management, and no centralized tenant orchestration. The proposed Directus Hub remains unreleased as of v12.0.0 (June 2026).
No native cross-tenant or cross-brand content sharing mechanism. In multi-brand setups, shared global content must be federated via API from a central Directus instance — a workable but entirely custom pattern. M2A Dynamic Page Builder blocks serve as a shared component library within a single instance. Schema Sync extensions exist for propagating schema changes across instances. The proposed Directus Hub would add modular schema/extension deployment but remains unreleased.
No native cross-brand governance, centralized approval workflows, or global policy enforcement across multiple Directus instances. The v12 draft/publish editorial workflow strengthens per-instance governance but is not a cross-brand layer. The Directus Hub discussion proposes audit trails, schema drift detection, and centralized access management but remains unreleased through v12.0.0. Per-instance governance is solid (RBAC, activity logs, approval Flows), but there is no multi-instance governance layer. Organizations managing multiple brand instances must coordinate governance manually.
Directus v12's MSCL relicense (June 2026, replacing BSL 1.1) materially reshapes scale economics. The free Core tier is now capped at 3 Studio seats and ~25–50 collections with no SSO and custom permission rules ignored. Organizations under $5M revenue AND fewer than 50 employees can still get full free access via the Open Innovation Grant (registration required), preserving a free path for small agencies. Beyond those thresholds, the paid Team plan is $499/mo annual ($5,988/yr) / $599/mo monthly with 10 SSO seats and $50/seat/mo beyond. Self-hosting remains source-available with near-zero marginal infrastructure cost per brand, and API-only delivery carries no seat cost — but Studio-editor seat licensing now scales with team size and the seat/collection caps constrain larger multi-brand agency use. Still better than SaaS-only per-brand licensing, but the previous best-in-class footing (blanket free under $5M including production, no seat limits) is gone.
Directus Data Studio supports full white-labeling: custom logo, primary color, favicon, and module navigation per project instance. AgencyOS demonstrates per-client branded CMS admin experiences. Brand-level theming of the admin experience is solid. However, there are no platform-level mechanisms for enforcing per-brand design tokens in the content delivery layer — theming of published frontend sites is handled entirely by consuming application code, not by Directus.
Directus supports per-brand localization via Translations fields on any collection, with the Crowdin connector and v12 AI-assisted translations for translation workflow automation, and the v11.17 translation quick-setup utility reducing configuration friction. However, there is no brand-aware localization governance — no per-brand translation approval workflows, no regional legal content governance per brand, and no brand x locale intersection management. Translations are managed per-instance or per-collection, not at a cross-brand level.
No cross-brand or portfolio-level analytics in Directus. The activity log provides per-instance admin action tracking, not content performance metrics. There is no dashboard aggregating engagement, publishing cadence, or content velocity across multiple brand instances. Multi-instance organizations must build custom data pipelines to aggregate metrics. Scores at the floor.
Directus Flows allow different automation logic per collection, trigger, and role — enabling distinct approval chains per brand within a single instance via separate Flow configurations, and the v12 draft/publish workflow adds per-collection editorial states. With separate instances per brand, completely independent workflows are possible. However, there is no central audit across brand workflows, no cross-brand workflow visibility, and no UI for configuring per-brand workflows from a central control point.
Corporate-level content can be syndicated to brand sites via API from a central Directus instance — press releases, legal disclaimers, and product announcements can be fetched by brand frontends from a shared content source. The n8n integration provides a structured automation path for syncing content between Directus instances (CRUD + trigger nodes). However, there is no native syndication mechanism with controlled override points, no push-update system for propagating corporate content to child brands, and no brand-level adaptation layer.
Directus Cloud offers SOC 2 Type II, ISO 27001, and GDPR-compliant infrastructure with 15+ global deployment regions enabling data residency choices. Per-brand RBAC policies can restrict what editors publish in which regions. However, there are no per-brand/region compliance publishing guardrails — no automated GDPR consent content checks, no accessibility standard enforcement, no cookie policy management, and no guardrails preventing non-compliant content publication. Compliance is infrastructure-level, not content-governance-level.
No centrally maintained design system with federated brand extensions in Directus. Dynamic Page Builder block types serve as a rudimentary component library within a single instance, but there is no versioning, update propagation across instances, or brand-level extension mechanism. AgencyOS provides a starting template for per-client deployments but does not implement a federated design system. White-label branding is limited to the admin UI.
Within a single Directus instance, the v11 policy-based permissions model supports composable roles enabling central admin oversight of all brands alongside brand-specific editor roles, and access policies can be duplicated to reduce setup repetition. However, v12's MSCL relicense moves SSO (SAML/OIDC/LDAP) behind the paid Team plan ($499/mo, 10 SSO seats) — it no longer works on the free Core tier — so unified cross-brand authentication now requires a paid license. In multi-instance setups, user provisioning must still be replicated per instance; there is no native cross-instance user management hub.
Directus's flexible schema-based content modeling allows shared base content types reused across brand contexts within a single instance, with brand-specific fields added per collection. Schema Sync extensions enable propagating schema changes across instances. However, there is no formal model inheritance mechanism — Brand A cannot extend a global product page model without diverging schemas that must be manually synchronized. Shared types with limited customization are achievable but not architected for multi-brand extension without forking.
No portfolio-level reporting in Directus. Per-instance activity logs track admin actions with timestamps, users, and affected items, but there is no cross-instance aggregation, no content freshness reporting by brand, no publishing SLA tracking, no cost allocation per tenant, and no capacity planning dashboard. Organizations managing a brand portfolio must build custom data pipelines to aggregate metrics from multiple Directus instances. Scores at the floor.
Directus publishes a Privacy Policy with GDPR rights (erasure, portability, access, rectification) and CCPA rights, plus a public Trust Center sub-processor list (AWS, Cloudflare, SendGrid, Google, and Northflank — engaged Feb 1, 2026 for cloud infrastructure/hosting). Multiple EU regions are available, but a GDPR-compliant DPA is offered only on the Enterprise Cloud tier with no self-service DPA for Professional, which caps the score below the 80+ tier.
Directus Cloud does not offer a HIPAA BAA, and no healthcare-specific guidance appears in the security or trust documentation. Self-hosted deployments can be placed on HIPAA-eligible infrastructure, but compliance is entirely the customer's responsibility — no vendor-side coverage exists.
Coverage is limited to GDPR (EU) and CCPA (California), explicitly addressed in the Privacy Policy. The security page references NIST SP 800-53 access-control principles and AWS Well-Architected reviews, but these are framework adoptions rather than certifications. No FedRAMP, IRAP, C5, PCI-DSS, HITRUST, UK GDPR IDTA, LGPD, or PIPEDA documentation found.
Directus Cloud holds a SOC 2 Type II attestation audited by A-LIGN (announced July 2025) covering all five Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy — with the report accessible via the SafeBase-hosted Trust Center under NDA. The full TSC scope places this at the top of the SOC 2 tier; annual surveillance cadence is not explicitly published, which prevents pushing higher.
Directus does not hold ISO 27001 at the platform/ISMS scope. The security page only states that cloud hosting providers (AWS) must be ISO 27001 compliant, which per the scoring rules cannot be inherited by the SaaS platform. No ISO 27018 certification is published.
Beyond SOC 2 Type II, the Trust Center publishes a CAIQ self-assessment (equivalent to CSA STAR Level 1) and penetration test reports. NIST SP 800-53 alignment and AWS Well-Architected reviews are framework adoption, not certification. No PCI-DSS, Cyber Essentials, FedRAMP, IRAP, ENS, or C5.
Directus Cloud advertises 19 regions on Enterprise (US, EU, APAC, South America, Africa) and 3 on Professional (US East, EU Frankfurt, APAC Singapore), with documentation framing region selection for GDPR. However, contractual residency guarantees are not publicly documented in standard terms, and CDN-cache impact on residency is not addressed.
Trust Center documents data erasure procedures and backup policy with daily encrypted (envelope-encrypted) backups and 24–48h RTO/RPO. The privacy policy supports right-to-erasure and data portability. Specific post-termination retention windows are not published, and there is no self-service bulk export portal beyond the standard REST/GraphQL APIs.
The Activity Log captures user actions, system events, timestamps, and IP addresses with REST/GraphQL export. Documented n8n integration provides event-based trigger nodes that can forward Directus events to external systems, supplying a documented path to SIEM beyond pure API polling. Still no native SIEM push connector, log retention period is undocumented, and direct database writes outside the API are not captured.
Directus publishes a dedicated accessibility page for Data Studio documenting keyboard navigation (Tab, arrow keys, Enter/Space), skip menu, and shortcuts (Meta+S save, Meta+Enter apply, Escape cancel). Known limitations are transparently listed (manual sorting, DateTime interface, CodeMirror Tab-trap, Markdown editor). The v12 Studio redesign (June 2026) reworked navigation and editorial workflows but introduced no formal WCAG 2.1 AA conformance claim or ATAG 2.0 statement, which keeps this below the 45+ stated-target tier.
A dedicated accessibility documentation page covers keyboard navigation and known limitations, providing practical guidance. However, no VPAT/ACR is published, no Section 508 conformance statement exists, and no ATAG 2.0 assessment is available — the page is operator guidance rather than procurement-grade conformance documentation.
Directus ships a native AI Assistant (GA since v11.15, carried into v12.0.0 June 2026) embedded in the Data Studio sidebar with reusable Mustache-templated prompts and built-in presets for spelling/grammar, social posts, SEO descriptions, expand/condense, and rewrite. In v12 the Assistant creates content, runs translations, and triggers Flows directly from the Studio. The Marketplace AI Writer Flow operation extends generation to pipelines (OpenAI, Anthropic, Mistral, LLaMA). Brand voice guardrails are still absent and bulk generation requires custom Flows configuration rather than native editorial tooling, capping the score.
Directus Marketplace ships AI image generation via DALL-E, AI Alt Text Writer via Clarifai, AI Focal Point Detection using OpenAI, and AI Image Moderation via Clarifai. The multimodal AI Assistant (GA since v11.16, retained in v12) supports image and PDF upload with a provider adapter pattern for OpenAI, Anthropic, and Gemini — enabling inline analysis and alt-text generation via drag-and-drop. All image generation features remain Marketplace extensions rather than natively integrated DAM features, holding the score below 70.
Directus v12.0.0 (June 2026) makes AI-assisted translation a native feature: a 'Translate with AI' button in the translations interface translates fields across all configured locales at once using the AI provider set in Settings → AI (OpenAI/Anthropic/Gemini), and editors can ask the AI Assistant to translate a post into multiple languages and have it write directly into the correct locale fields — no third-party tool or copy-paste. This supersedes the prior Marketplace-only @directus-labs/ai-text-translator (DeepL) approach. No brand-voice preservation across locales or AI-TMS quality scoring yet keeps it below 70.
The built-in AI Assistant includes a 'create SEO descriptions' prompt out of the box, and developers can chain AI Writer + AI Text Intelligence operations in Flows to auto-populate SEO metadata fields on content save. The official @directus-labs/seo-plugin provides structured SEO metadata management (title, description, OG tags, focus keyphrase) but is manual-only with no AI generation. No native automated metadata pipeline ships without Flows configuration, and no on-page SEO scoring engine is included.
Directus Flows supports multiple AI-driven content operation patterns: auto-tagging image uploads via Clarifai + Flows, scheduled publishing via date-field triggers, content moderation via AI Image Moderation, and multi-step AI pipelines combining image transformation, translation, sentiment analysis, and SEO metadata population. v12's native draft/publish workflow adds submission triggers, review notifications, and conditional approval/publish actions to these flows. Inngest is the official pattern for durable long-running AI ops and the documented n8n integration adds another automation pathway. Features still require Flows or external tool configuration rather than one-click editorial AI.
Directus has no named AI agent product, but its agentic infrastructure strengthened materially in v12.0.0 (June 2026): the official MCP server now supports OAuth 2.1 with CIMD and Dynamic Client Registration, so AI agents act on behalf of real users under their own policies after an explicit consent flow, and each agent receives a Directus role with field- and collection-level permissions. Combined with Flows this enables genuine agentic patterns (CSV product imports, WordPress migrations with taxonomy, multi-entity creation in one conversation). It remains developer/operator-facing capability without a packaged agent product or named editorial agent, keeping it in the early-to-mid band.
The @directus-labs/ai-text-intelligence-operation (Deepgram) provides Flows-based content analysis returning summaries, topics, intents, and per-segment sentiment scores, and the @directus-labs/ai-transcription-operation (Deepgram) generates transcripts from audio that can be piped into text intelligence. These are Marketplace extensions requiring Flows configuration — no native content analytics dashboard, content performance layer, or stale-content detection ships out of the box.
AI Image Moderation (@directus-labs/ai-image-moderation-operation via Clarifai) provides image-level content safety auditing in GA. The MCP + Flows combination is documented as a pattern for running content audit flows across a date range of blog posts, but this requires custom-built automation rather than a built-in auditor. No dedicated readability scoring, brand-voice compliance checking, or content-quality dashboard exists, and accessibility scanning and duplicate/thin-content detection are absent.
Directus still has no native semantic or vector search as of v12.0.0 (June 2026). GitHub discussions #17822 and #22213 requesting pgvector/embedding support remain backlog feature requests with no committed timeline. Standard Directus search is a keyword/LIKE filter via REST and GraphQL. The open API makes Directus usable as a RAG data source with externally built embedding pipelines (e.g., the Upstash Vector tutorial), but this requires fully custom external integration rather than any native AI search capability.
Directus explicitly positions itself as a content/data platform layer and not a personalization engine. No native rule-based or ML-driven personalization system is available, and no first-party personalization integrations exist in the Marketplace; personalization requires a fully external implementation (edge function, CDN logic, or third-party tool). Directus provides the flexible API to feed external personalization engines but has no native AI personalization capabilities.
Directus ships an official production MCP server (@directus/content-mcp) included in all editions at no cost, covering read/create/update/delete items, collections/fields/relations, file management, user/role/permission management, triggering Flows, markdown conversion, file imports, and dynamic Mustache-templated prompt storage. v12.0.0 (June 2026) added OAuth 2.1 support with Client ID Metadata Document (CIMD) and Dynamic Client Registration for remote MCP, alongside static-token mode, putting it at the front of the MCP field. It is schema-aware, enforces role-based permissions, includes global delete protection, logs all actions in the activity log, and supports Claude Desktop/Code, ChatGPT, Cursor, VS Code Copilot, and Raycast.
BYOK is a first-class design principle — Directus provides no hosted AI inference. Administrators supply keys in Settings → AI for OpenAI, Anthropic, and Google Gemini, plus any OpenAI-compatible API endpoint (enabling Azure OpenAI, Ollama, DeepSeek, Mistral, LM Studio, and self-hosted models). Keys are encrypted at rest and masked in the UI, an Allowed Models dropdown restricts available models per provider, and a Provider Options field passes provider-specific parameters. The only gap is no per-user quota controls in Directus itself.
Directus offers strong composable AI extensibility: the OpenAI-compatible custom endpoint field enables any model without code changes; the full REST and GraphQL API makes Directus a viable document store in RAG pipelines; custom Flows operations can call any external AI service; and the @directus/ai npm package provides shared AI types. Inngest is the official pattern for durable long-running AI workflows and the documented n8n integration adds a visual pathway to external AI services. However, no official LangChain or LlamaIndex connector exists, and there is no dedicated AI SDK or agent-optimized content delivery endpoint.
Directus governs AI through its existing policy model, strengthened in v12.0.0 (June 2026): MCP OAuth 2.1 adds explicit user consent flows and user-scoped permissions, AI agents receive a Directus role with field- and collection-level permissions, and every AI create/update/delete is logged in the native activity log with full attribution — identical to human actions. v12's native draft/publish workflow provides a human-in-the-loop gate (AI writes drafts; publishing is an intentional human action), with submission triggers, review notifications, and conditional approvals in Flows. Keys are encrypted/masked and instance-level kill switches (AI_ENABLED, MCP_ENABLED) exist. Gaps: no IP indemnification, no hallucination detection, and provider data privacy depends on the operator.
AI telemetry provider configuration for Braintrust and Langfuse (AI_TELEMETRY_ENABLED, AI_TELEMETRY_PROVIDER), added in v11.17.0 and retained in v12, exports traces for observability, usage monitoring, and token cost analysis, with AI_TELEMETRY_RECORD_IO optionally capturing full prompts and responses and AI SDK Devtools middleware for development debugging. These external platforms provide cost breakdowns, latency tracking, trace replay, and prompt experiment tracking. No native Directus dashboard for token usage, per-user consumption metrics, or AI credit quotas exists — observability is fully delegated to external tools.
Directus has one of the most granular access models in the headless CMS space — policy-based additive permissions scoped to collection, item, and field level with row-level filter rules, IP allowlisting, and native SSO. The extension framework covers custom endpoints, hooks, app extensions, and Flow operations with full CLI scaffolding. These remain best-in-class on paid tiers, though v12 now gates SSO and custom permission rules behind a license.
Both REST and GraphQL are auto-generated from the data model with documented behavior parity, deep relational filtering, and v12's JSON dot-notation path queries. Content relationships are exceptional (M2O/O2M/M2M and M2A polymorphic references), and the TypeScript-first @directus/sdk supports rest(), graphql(), and realtime(). API design quality and delivery model both score in the low 80s.
Directus ships an official production MCP server included free in all editions, upgraded in v12 to OAuth 2.1 with Dynamic Client Registration so agents act under user-scoped policies. BYOK is a first-class design principle (OpenAI/Anthropic/Gemini plus any OpenAI-compatible endpoint), and AI actions are governed through the same policy model and activity log as human actions, with native draft/publish providing a human-in-the-loop gate.
Directus wraps your own SQL database, so data lives in standard PostgreSQL/MySQL tables and schema is portable via snapshot/apply — removing Directus leaves data intact. Built entirely on mainstream Node.js, TypeScript, Vue, and standard SQL with no proprietary DSL, any full-stack TypeScript developer is productive quickly, and self-hosted Core remains free with commercial use permitted.
Directus shipped a coordinated v12.0.0 major cycle in June 2026 with rapid follow-on patches, on top of a steady weekly minor cadence, reflecting active maintenance. Directus Cloud holds a SOC 2 Type II attestation covering all five Trust Service Criteria, with a public Trust Center, CAIQ self-assessment, and penetration test reports.
Its headless, API-first architecture makes multi-channel output a core strength, serving structured content to web, mobile, and apps via REST/GraphQL plus Releases for batched publishing. v12 added native draft/published states, a redesigned Studio for non-technical users, real-time collaborative editing, and a Visual Editor for in-context editing.
Directus has no native audience segmentation, content personalization, A/B/multivariate testing, or recommendation engine — all must be implemented in the delivery layer or via external tools, with no official first-party integrations. AI-powered personalization scores at the floor, making it unsuitable as a standalone marketing experience platform.
There is no native commerce module — no catalog, cart, pricing, inventory, merchandising, or checkout content — by explicit design. Commerce platform integration is limited to iPaaS bridges (Zapier/n8n) without product picker UIs or live federation. It functions as a flexible PIM/content layer but not a commerce engine.
v12 turned on active license enforcement that disables SSO and ignores custom permission rules on the free Core tier after a 30-day grace period — a vendor-forced cutover that strands features production self-hosters depend on. Feature gating and pricing-model fit both dropped sharply, and the entry tier is now hard-capped at 3 seats / 50 collections with a ~5x jump to the $499/mo Team tier.
Native search is a basic case-insensitive LIKE filter with no relevance ranking, faceting, typo tolerance, or autocomplete, and there is no native semantic or vector search as of v12 — pgvector/embedding requests remain backlog items. Strong search requires integrating Algolia, Elasticsearch, or Meilisearch externally via Flows.
Across the use-case dimensions Directus scores low: no form builder, ESP, marketing automation, or CDP integration; no employee experience, internal comms, or enterprise search for intranet; and no native multi-brand governance, cross-brand analytics, or portfolio reporting. These require extensive custom frontend development rather than out-of-the-box tooling.
The 2026 advisory stream continued past the April HIGH-severity batch with multiple further CVEs, and there is still no paid bug bounty, holding the security track record at 50. Compliance is limited to SOC 2 Type II + GDPR/CCPA — no platform-scope ISO 27001, no HIPAA BAA, and no FedRAMP/PCI-DSS/IRAP.
Database-first architecture, dual REST/GraphQL APIs, granular permissions, a strong extension model, and low vendor lock-in let generalist TypeScript developers own content modeling, API, auth, and delivery with minimal specialist premium.
An official free MCP server with OAuth 2.1, first-class BYOK across providers, native AI translations and assistant, and policy-based AI governance with full audit logging make Directus a leading choice for content-aware AI integration.
Flexible schema modeling, M2A relationships, native translations, and proven multi-channel PIM deployments support distributing structured product and content data to web, mobile, Shopify, and marketplaces from a single source.
Source-available self-hosting and full free access for orgs under $5M revenue and 50 employees, with ~90-second cloud provisioning and one-click deploys, give a fast, low-cost path to production for a solo developer or small team.
Row-level tenant filtering plus policy-based permissions support production multi-tenant and multi-storefront deployments on a single instance, validated by real SaaS case studies, though no native tenant orchestration exists.
No native segmentation, personalization, A/B testing, campaign management, forms, ESP, or marketing automation — all must be built externally, making Directus a poor standalone marketing experience platform.
No commerce module, merchandising, checkout content, or conversion analytics by design; commerce connectivity is limited to iPaaS bridges without product pickers or live federation.
No native employee portal, internal communications, people directory, enterprise search, or engagement analytics; building an intranet requires extensive custom frontend development.
No HIPAA BAA, no platform-scope ISO 27001, and no FedRAMP/PCI-DSS/IRAP; compliance breadth is limited to SOC 2 Type II and GDPR/CCPA, alongside a recurring high-severity advisory pattern.
Both are source-available, developer-centric Node.js headless CMSes, but Directus's database-first model, granular policy permissions, dual REST/GraphQL parity, and AI/MCP infrastructure are more mature, while Strapi has a larger community and content density. Directus's v12 MSCL relicense narrows its open-source advantage relative to Strapi.
Directus advantages over Strapi
Directus disadvantages vs Strapi
Payload's MIT relicense in 2026 strengthened its open-source positioning precisely as Directus moved to the more restrictive MSCL with active enforcement, pushing some self-hosters toward Payload. Directus counters with its database-first SQL approach, broader admin tooling, and stronger AI/MCP story, but the licensing contrast is a real competitive headwind.
Directus advantages over payload
Directus disadvantages vs payload
Contentful offers a more polished SaaS experience, richer ecosystem, and published enterprise scale guarantees, while Directus wins on low vendor lock-in, self-hosting flexibility, granular permissions, and cost for small teams. Contentful is stronger for turnkey marketing and enterprise compliance; Directus for developer control and data ownership.
Directus advantages over Contentful
Directus disadvantages vs Contentful
Sanity's structured content, real-time collaboration, and starter/ecosystem polish are more refined, while Directus's relational SQL modeling, M2A relationships, and self-hosted ownership differentiate it. Both lack native commerce and marketing tooling; Directus leads on permission granularity and AI/MCP infrastructure.
Directus advantages over Sanity
Directus disadvantages vs Sanity
Storyblok's visual editor and marketer-focused page-building experience are far stronger for non-technical content teams, whereas Directus targets developers with database-first modeling, granular permissions, and API flexibility. Directus has no true drag-and-drop layout designer, so Storyblok wins on landing-page and marketing fit while Directus wins on data control and extensibility.
Directus advantages over Storyblok
Directus disadvantages vs Storyblok
Directus is essentially stable this period, with the only meaningful movement a modest uptick in Operational Ease (47 → 47.8) while Capability, Platform Velocity, Cost Efficiency, Build Simplicity, and Compliance & Trust held flat. The Operational Ease gain is driven by the v12.0.0 release cycle: fast patch turnaround (v12.0.1 and v12.0.2 within days), continued dependency and CVE hygiene, and a reworked health surface that better supports multi-instance deployments, which together slightly outweigh the added friction of a major-version upgrade. The standout for practitioners is the v12.0.0 relicensing from BUSL-1.1 to the source-available MSCL-1.0-GPL with active license enforcement now turned on — a governance shift worth evaluating closely even though its scoring impact this cycle was marginal.
Score Changes
The v12.0.0 major release (Jun 10, 2026) makes upgrades materially harder than the clean v11.17.x cadence: operators must evaluate licensing, potentially convert SSO users to email/password, flip the now-default `IP_TRUST_PROXY=false` if behind a reverse proxy, repoint monitoring off the newly auth-restricted `/server/health`, and migrate theme/extension code (shell scope, removed v-button `rounded`, deprecated VResizeable). The non-semver risk the prior score flagged is now realized as a multi-step v11→v12 migration. Not lower because most data-layer changes (status→archived boolean, ?version=published) are backward-compatible and the API upgrade itself remains Docker-image-swap based.
Patch velocity remains good — v12.0.1 (Jun 11) and v12.0.2 (Jun 12) shipped fixes within days of v12.0.0, and no new advisories have appeared since the April 2 batch. v12 also hardens defaults (`IP_TRUST_PROXY=false` against IP spoofing, `/server/health` no longer exposed to anonymous callers), a modest security-posture gain. Score stays well below peers because the historical advisory volume (15+ in ~6 months, including the April High-severity batch fixed in 11.17.x) still dominates the baseline.
v12.0.0 relicensed Directus from BUSL-1.1 to the source-available MSCL-1.0-GPL and turned on active license enforcement: self-hosted instances default to a Core tier where SSO logins stop working, custom permission rules on access policies are ignored, and custom/self-hosted LLMs and AI translations are disabled — enforced after only a 30-day grace period on upgrade. This is a textbook vendor-forced cutover on the vendor's timeline that strands features production self-hosted users already depend on, the most severe forced-migration event in Directus's recent history. Scored near the dataset floor for this dimension because enforcement is immediate, the grace window is short, and the changes are commercially coercive rather than merely technical.
v12 continued the monorepo consolidation and active CVE hygiene seen across the 11.17.x line, with the API advancing to @directus/api@36.x. The Docker-first runtime (Node, database, optional Redis/search/CDN) is unchanged in shape, and the major-version dependency jump was absorbed without introducing new external service requirements. No movement: dependency surface and tending quality are stable versus the prior assessment.
v12 reworks the health surface: `/server/health` is now cached and shared across multi-instance deployments and restricted to authenticated users (404 for anonymous), with `/server/ping` designated for liveness and new `HEALTHCHECK_ENABLED`/`HEALTHCHECK_SERVICES` env vars to toggle or scope checks. The added granularity and multi-instance correctness are genuine operational improvements, but they require reconfiguring existing health probes on upgrade. Still no native APM or webhook-delivery dashboards, so external monitoring remains mandatory and the score moves only incrementally.
v12 adds modest content-governance guardrails — published items in versioned collections are now locked and must be edited through a draft version, reducing accidental edits to live content — though it also removed the extra confirmation step from the publish flow, slightly raising accidental-publish risk. JSON repeater inline editing and keyboard date entry (v12.0.1) smooth day-to-day editing. Automated content hygiene (orphan detection, broken-reference alerts, content expiry) is still absent, so the net change is neutral.
v12 brings no major performance-management step change beyond the multi-instance health-check caching, which trims redundant probe load. The tunable surface established in 11.17.x (ASSETS_CACHE_REVALIDATE ETag/must-revalidate headers, GraphQL resolver dedup, Redis namespace control, useItems count-request reduction) carries forward. Self-hosted operators still own Redis, CDN, and database tuning, so the score holds steady.
Velocity remains a strength: v12.0.1 and v12.0.2 each shipped real bug fixes (batch-update revision snapshot mismatch, user-count with conflicting policy/role) within one to two days of the v12.0.0 GA, and the 11.17.x line patched the April advisory batch promptly. The non-semver model still bundles fixes into version bumps rather than isolated hotfixes, adding upgrade friction for conservative self-hosted operators. Held steady at mid-range as the responsive cadence offsets the absence of a dedicated hotfix-branch model.
Directus shows mixed momentum, with modest gains across Cost Efficiency, Build Simplicity, and Platform Velocity offset by a meaningful decline in Operational Ease tied to the April 2 disclosure of four HIGH-severity advisories that pulled down security track record and issue resolution velocity scores. Capability and Compliance & Trust held essentially flat, while ecosystem-facing items improved as expanded Zapier, marketplace, and Vercel/Netlify integration coverage lifted MarTech connectivity and integration breadth. Practitioners evaluating Directus should weigh the strengthened deployment and integration story against the recent security advisory cluster, even though the patch cadence — five releases in five weeks — indicates responsive remediation.
Score Changes
On April 2, 2026, four HIGH-severity advisories were disclosed: TUS upload authorization bypass (GHSA-qqmv-5p3g-px89), unauthenticated DoS via GraphQL alias amplification (GHSA-6q22-g298-grjh), SSRF protection bypass via IPv6 (GHSA-wv3h-5fx7-966h), and authenticated field extraction via aggregate queries (GHSA-38hg-ww64-rrwc), plus several moderate issues (OAuth/SAML redirect, schema disclosure, 2FA open redirect). Combined with the 2025 CVSS 9.3 critical (CVE-2025-55746), this is a recurring pattern of high-severity vulns; while the v11.17.1–v11.17.4 patch line indicates active remediation, there is no public bug bounty program, which holds the score at 50.
Five releases in five weeks demonstrates a sustained patch cadence, and the April 2 advisory batch was remediated quickly across v11.17.2–v11.17.4 with concurrent dependency CVE updates. The non-semver model still bundles security patches into version upgrades rather than isolated hotfixes, adding friction for self-hosted operators on conservative upgrade schedules. The April security volume keeps the score below peer headless CMS averages despite the responsive cadence.
Directus has official integration guides for Zapier (Beta — connecting to thousands of apps including CRM, MAP, CDP, and ad platforms), n8n (dedicated Directus node with CRUD operations and trigger node for event-based automation to 400+ service nodes), and Clay (data enrichment and automated workflows). These move beyond the previous Flows-only webhook pattern to officially supported automation bridges. However, there are still no first-party native connectors to Salesforce, HubSpot, Marketo, or ad platforms in the Directus Marketplace through v11.17.4 — all MarTech connectivity is mediated through automation platforms rather than purpose-built integrations.
Directus has an in-app Marketplace backed by the npm registry covering 7 extension types (interfaces, displays, layouts, modules, panels, hooks, operations). The official directus-labs/extensions GitHub repo provides experimental first-party extensions. Directus now has an official integrations documentation section with guides for n8n, Clay, Zapier (beta), Vercel, Netlify, and Framer — showing ecosystem maturation beyond the Marketplace. The Zapier beta integration alone opens 6000+ app connections. Still smaller than Contentful or Storyblok's ecosystems but growing meaningfully.
Directus has 6 dedicated integration guides: native Vercel and Netlify deployment modules (with real-time build status), Zapier (beta) opening thousands of app connections, n8n community node for workflow automation, Clay for data enrichment, and Framer for bidirectional CMS sync. v11.17 enhanced deployment integrations with provider dashboard links. The ecosystem is broadening beyond UI/workflow extensions but still lacks pre-built integrations for commerce, DAM, and analytics categories.
Cloud Professional at $99/month includes all infrastructure. For self-hosted, Redis is optional for single-container deployments (memory store is default), reducing minimum infrastructure to a container host and PostgreSQL. Railway one-click deploy provides affordable hosting (~$5–20/month for small projects). Typical production self-hosted costs on AWS/GCP run $20–100/month without Redis. Score reflects the additional infrastructure spend versus pure SaaS for the most likely deployment path.
No new security advisories since the April 2, 2026 batch of 9 (4 High severity), and patches landed quickly via v11.17.2 (Apr 6) plus subsequent dependency updates in v11.17.3 and v11.17.4. The vendor's disclosure-and-patch velocity is genuinely good — the issue is the historical volume (15+ advisories in ~5 months), not slow remediation. A modest uptick reflects the clean April–May window without offsetting the elevated baseline.
Directus has official integration guides for n8n (which has dedicated nodes for Slack, Microsoft Teams, Google Workspace) and Zapier (Beta — connecting to thousands of workplace tools). These provide structured automation paths for content-to-workplace-tool delivery beyond raw Flows webhooks. The MCP server allows AI assistants (Claude Desktop, Cursor) to interact with Directus content. However, there are still no native embedded content cards, no bot-driven experiences, and no single-pane integrations with workplace tools through v11.17.4 — all integration remains automation-platform-mediated.
Workflows are constructed from status fields + Flows (event-driven automations) + role-based permissions that restrict state transitions. Multi-stage approval is achievable: writers submit, a Flow notifies reviewers, permissions block publishing until approved. Manual Flow triggers with confirmation modals collect additional input at workflow steps. Official integration guides for n8n and Zapier provide documented paths to extend workflow automation with visual workflow builders, expanding the ecosystem. Functional but still requires significant configuration effort for native workflows; no visual BPMN-style workflow designer in core.
Flows are the sole automation system with five trigger types: event hook (item CRUD, file upload, login, errors), incoming webhook (GET/POST with async response option), CRON schedule, another flow, and manual trigger. Filter hooks are blocking (can transform/reject); action hooks are fire-and-forget. Official n8n integration adds a dedicated Directus Trigger node for event-driven external workflows, expanding the event consumption ecosystem. Key gaps remain: no native HMAC signing on outgoing payloads and no built-in retry logic for failed webhook deliveries.
No official GA4, Segment, or Amplitude first-party integrations. However, the official Zapier beta integration and n8n verified node provide documented iPaaS paths to analytics platforms without requiring custom webhook code. Directus Flows can also emit webhooks on content operations. This is iPaaS-mediated integration, not a native analytics connector, but materially easier than raw webhook-only patterns.
Directus Flows can send transactional emails via SMTP as a built-in operation. No official pre-built connectors to Mailchimp, HubSpot, Marketo, or Brevo exist in the Marketplace. The Zapier beta integration and n8n verified node provide iPaaS paths to ESPs without custom code, marginally improving the story over pure webhook-based integration. Still no subscriber list sync, email template builder, or campaign orchestration in core.
Directus Flows provides a comprehensive event-driven automation engine: 5 trigger types (Event Hook on any collection CRUD/login/error, inbound Webhook, Schedule/CRON, Another Flow, Manual button), HTTP Request operations for outbound calls. v11.16 added a Deployment module with real-time webhook status for Vercel/Netlify deployments and role-based deployment access. Official Zapier triggers and n8n trigger nodes now provide documented event-driven integration paths. No native Kafka/EventBridge/Pub-Sub streaming; no signed payload verification confirmed.
docs.directus.io is comprehensive and well-structured with REST, GraphQL, and SDK examples across every endpoint, plus a dedicated integrations section providing 6 step-by-step guides for n8n, Zapier, Vercel, Netlify, Clay, and Framer. Getting-started guides and extension development documentation are thorough. No interactive API playground ships with Directus (third-party tools required), holding the score below 80.
Directus has Udemy courses (Directus CMS QuickStart, Next.js + Directus course), a dedicated learning site (learndirectus.com), official Directus TV tutorials, and expanded official integration documentation. Multiple 2026 comparison articles (dasroot.net, elmapicms.com, focusreactive.com) feature Directus prominently. Still does not reach Strapi's content density but improving.
Directus shows continued momentum through v11.17's expanded deployment integrations (Netlify joining Vercel), official n8n workflow automation docs, and 10M+ claimed installations. Enterprise customers cited include Adobe, AT&T, Bose, Tripadvisor, and the U.S. Navy. Employee count stable at ~55 across 5 continents. Growing integration ecosystem signals platform maturation beyond pure CMS into data platform positioning.
Multiple 2026 comparison articles position Directus favorably: 'Directus and Payload stand out as the top open-source headless CMS options' (focusreactive.com). Database-first architecture is a clear differentiator. Growing integration ecosystem (Vercel, Netlify, n8n) strengthens the platform story beyond pure CMS. However, still lacks analyst recognition (no Gartner MQ or Forrester Wave listing) and faces competition from Strapi (~70k stars) and Payload.
Directus eliminated all cloud-exclusive features (e.g., Kanban layout) in v10.1.0, making them available to self-hosted users. Full feature parity now exists across all deployment modes. Cloud Professional vs. Enterprise differentiates on infrastructure (dedicated vs. shared) and support level, not features. SSO, custom roles, audit logs, and security features are not gated. This is among the most buyer-friendly models in the headless CMS space.
Directus Cloud provisions a project in ~90 seconds. The Railway one-click deploy template provides a fast self-hosted path. Expanded integration guides for Vercel, Netlify, n8n, Zapier (beta), and Framer reduce integration time. Framework-specific tutorials for Next.js, Nuxt, Astro, and SvelteKit lower the learning curve. The SDK remains a standard npm package. Cloud and Railway paths both reach first API call in under 30 minutes.
Directus Cloud is fully managed with near-zero ops overhead. Self-hosted operational burden is moderate: Redis is optional for single-container deployments, Railway one-click deploy handles infrastructure provisioning, and CLI cache management commands aid day-to-day operations. For single-container self-hosted setups, ops overhead is primarily Docker container management and PostgreSQL administration — no Redis complexity unless horizontally scaling.
Structured quickstart guide, dedicated tutorials section, and framework-specific guides for React, Nuxt, and Astro. v11.17 cycle integration guides for n8n, Vercel, and Netlify deployments expanded the docs surface for common deployment workflows. The directus-template-cli provides project scaffolding and AI Assistant (GA) offers in-context help. No formal certification program or in-app guided tours, keeping it below Contentful or Sanity's onboarding depth.
Self-hosted Directus requires a .env file with DATABASE_CLIENT + connection vars, SECRET, ADMIN_EMAIL, and ADMIN_PASSWORD — typically 6–10 env vars for production. Directus Cloud eliminates most of this. v11.17 Netlify and Vercel deployment integrations with provider webhooks and cryptographic signature verification reduce deployment config friction, though the core self-hosted setup surface remains unchanged through v11.17.4.
The Data Studio admin UI is polished for non-technical users with native collaborative editing, live presence indicators, and field-level locking. The Visual Editor lets editors work in context on the frontend. v11.17 deployment module RBAC lets content teams trigger Vercel/Netlify builds without full admin access, removing a key developer bottleneck in the publish workflow. Structural changes still require developer access, but operational editorial friction continues to decrease.
Directus has ~34.8k GitHub stars, 4.7k forks, 10k+ Discord members, and claims 10M+ total installations. The 20K+ star tier warrants 75+, but Discord size is moderate relative to Strapi (~70k stars) and npm monthly download volume for @directus/sdk remains modest. Steady growth trajectory.
Directus wraps your own database, so schema changes operate at the DB level without proprietary field count limits. Schema migration endpoints enable environment promotion with diff and dry-run previews; global draft versions across every collection improve content versioning. v11.17's translations generator endpoint and UI automate i18n collection/field creation. Renaming or changing field types still carries standard database-level risk, though tooling helps inspect changes.
Directus continues its non-semver policy, but v11.17.3 (Apr 15) and v11.17.4 (Apr 30) shipped without breaking changes — a positive break from the v11.17.0 pattern (px→rem UI conversion, background import timeout, collab export path moves). v11.17.4 even added a `--force` option to schema apply, smoothing out a common upgrade friction point. Self-hosted operators must still test every minor/patch release given the policy, but recent cadence has been cleaner.
Two consecutive clean releases (v11.17.3, v11.17.4) with no forced migrations or schema changes — the longest stretch without breaking changes in recent memory. The non-semver model still creates structural unpredictability, but v11.17.4's optional `ASSETS_CACHE_REVALIDATE` env var and additive AI/UI features show the team can ship without forced cutovers when they choose to. Score remains below peer averages because the historical pattern still dominates the risk model.
Directus remains broadly stable this cycle with no movement across five of six composite dimensions, while Compliance & Trust edged up slightly from 50.4 to 50.8. That modest gain is driven by improved certification coverage—specifically the addition of a CSA STAR Level 1 self-assessment—and stronger audit logging capabilities around activity tracking and API-accessible compliance reporting. Practitioners evaluating Directus should note that while the platform's trust posture is incrementally improving, Operational Ease at 48.1 and Compliance & Trust just above 50 remain its weakest areas, and neither is moving fast enough to materially change its competitive positioning in the near term.
Score Changes
Beyond SOC 2 Type II, the Trust Center now lists a CAIQ self-assessment, which constitutes CSA STAR Level 1. This is a meaningful addition for cloud security posture documentation. NIST SP 800-53 and AWS Well-Architected Framework alignment remain framework adoption rather than certifications. No PCI-DSS, Cyber Essentials, FedRAMP, or IRAP.
Directus Activity Log captures all user actions, system events, timestamps, and IP addresses via REST and GraphQL APIs with export capability. New n8n integration documentation provides event-based trigger nodes that can forward Directus events to external systems, offering a documented path for audit event forwarding beyond pure API polling. Still no native SIEM push integration. Log retention period not documented. Direct database changes not tracked.
Directus is stable overall with a modest uptick in Compliance & Trust (+3), the only composite dimension to move this cycle. The gains are driven by improved accessibility documentation and authoring UI accessibility scores, alongside incremental progress on GDPR and data lifecycle transparency — reflecting Directus's recent investment in a dedicated accessibility page and clearer privacy documentation rather than any fundamental platform shift. Practitioners should note that while compliance posture is trending upward, HIPAA readiness remains a significant gap, and the platform's core Capability, Cost Efficiency, and Build Simplicity scores are unchanged.
Score Changes
Directus now publishes an official accessibility documentation page for Data Studio with keyboard navigation (Tab, arrow keys, Enter/Space), skip menu, and keyboard shortcuts (Meta+S save, Meta+Enter apply, Escape cancel). Known limitations are transparently documented: manual sorting not accessible, DateTime interface not accessible, CodeMirror cannot be exited via Tab. No formal WCAG 2.1 AA conformance claim, but active accessibility commitment shown.
Directus now has a dedicated accessibility documentation page covering keyboard navigation and known limitations, which is a notable improvement over having no accessibility content. However, no VPAT/ACR exists, no Section 508 conformance statement, and no ATAG 2.0 assessment is published. The documentation page is practical guidance rather than formal procurement-grade accessibility documentation.
Directus publishes a Privacy Policy with GDPR rights (erasure, portability, access, rectification) and CCPA rights. Multiple EU regions available on Professional and Enterprise tiers. Sub-processor list maintained on Trust Center (AWS, Cloudflare, SendGrid, Northflank, Google). Enterprise Cloud now includes a GDPR-compliant DPA, though it is not self-service for lower tiers — DPA availability limited to Enterprise prevents a higher score.
No HIPAA BAA is offered by Directus Cloud, and no healthcare-specific documentation exists in compliance materials. However, self-hosted Directus can connect directly to existing SQL databases, and third-party guidance positions it as usable for healthcare when self-hosted on HIPAA-eligible infrastructure with proper safeguards. No official BAA or HIPAA guidance from Directus itself prevents scoring above 25.
Trust Center documents data erasure procedures and privacy policy supports right-to-erasure. Cloud policies now confirm data deletion at end of service: 'all project data will be deleted' upon cancellation or termination. Activity API allows programmatic data access. Automatic daily backups with envelope encryption. However, specific retention window (e.g., 30 days post-termination) is not documented, and no self-service bulk export portal exists.
Directus Activity Log captures all user actions, system events, timestamps, and IP addresses, accessible via REST and GraphQL APIs. Log export is now confirmed — users can select logs and choose export format. However, no native SIEM push integration exists; SIEM integration requires API polling. Log retention period still not documented. Database-level changes bypassing Directus are not tracked.
Directus matures its enterprise offering with improved RBAC granularity, better audit logging, and expanded integration marketplace. Platform velocity moderates as the product stabilizes after the v11 release cycle. The self-hosted open-source model remains a key differentiator for cost-conscious teams, though the gap between free and paid tiers widens as premium features are gated behind enterprise licensing.
Platform News
Granular role-based access control improvements and comprehensive audit trail for enterprise compliance
Growing catalog of community and official extensions/integrations
Directus v11 brings a revamped extension SDK, improved TypeScript support, and better multi-tenancy capabilities. The platform surpasses 30k GitHub stars and establishes itself firmly in the headless CMS/data platform space. SOC 2 Type II certification is achieved for Directus Cloud, significantly boosting regulatory readiness. However, the platform still lags in native commerce and complex multi-brand use cases compared to purpose-built DXPs.
Platform News
Revamped extension development experience with better TypeScript support and sandboxed extensions
Directus Cloud achieves SOC 2 Type II, strengthening enterprise compliance posture
Continued strong open-source adoption and community engagement
Directus continues steady growth with v10.x releases adding real-time collaboration features, improved Flows with more trigger types, and enhanced API performance. The extension ecosystem expands but remains smaller than competitors like Strapi. Directus Cloud gains traction among mid-market teams, though pricing changes from fully free self-hosted to a tiered model create some community friction.
Platform News
WebSocket-based real-time updates for collaborative editing scenarios
Additional trigger types and operations expand automation capabilities
Introduction of tiered pricing structure for cloud and enterprise offerings
Directus v10 ships with significant stability and performance improvements, a refreshed admin UI, and an extension marketplace. The platform crosses 25k GitHub stars, showing strong developer adoption. Content versioning and improved relational data handling strengthen the CMS story, though enterprise features like granular audit trails and compliance certifications still lag behind competitors.
Platform News
Major version with performance improvements, refreshed UI, and extension marketplace
Rapid open-source community growth signals strong developer interest
Better support for draft/published workflows and content revision history
Directus raises a $23.5M Series A led by OSS Capital, validating the open-source data platform strategy. Directus Cloud launches as a managed hosting option, reducing operational burden for smaller teams. The funding accelerates hiring and feature development, with SSO support, improved permissions, and better content versioning landing in this period.
Platform News
Led by OSS Capital, funding used to scale team and accelerate product development
Managed cloud hosting option reduces self-hosting burden and opens SaaS revenue model
Added SSO via OAuth2/OpenID Connect, improving enterprise viability
Directus v9 stabilizes through rapid iteration with frequent point releases addressing bugs and adding features like Flows (automation engine) and improved role-based access control. The open-source community grows steadily on GitHub. However, enterprise capabilities remain thin — no SSO, limited audit logging, and no hosted cloud offering yet.
Platform News
Visual workflow automation built into Directus, enabling event-driven logic without custom code
Dozens of patch releases stabilizing the v9 platform with bug fixes and incremental features
Directus v9 launches as a complete Node.js/Vue 3 rewrite, replacing the legacy PHP v8 codebase. The new architecture brings a modern REST+GraphQL API and modular extension system, but the platform is still early with limited enterprise features and a small ecosystem. Community excitement is high but production readiness is unproven.
Platform News
Full rewrite from PHP to Node.js with Vue 3 admin app, REST and GraphQL APIs, modular extensions
Directus positions itself as a 'Data Platform' rather than just a headless CMS, broadening use-case ambitions
How composite scores (0–100) have changed over time. Click legend items to show/hide metrics.