Directus

Directus maps all DB column types to a rich field set: string/text, number, datetime, boolean, JSON, UUID, geospatial (GeoJSON), file, and alias/relational fields. Schema-as-code is first-class via `npx directus schema snapshot` (YAML/JSON export) and `schema apply` with diff-based migration, enabling CI/CD environment promotion. Repeater fields handle nested JSON arrays; M2A handles polymorphic references. Not quite 80+ because geospatial requires DB-level extension support and union-typed fields beyond M2A are limited.

Directus natively supports M2O, O2M, M2M (auto-created junction table), and M2A (Many-to-Any — polymorphic references across multiple collections). M2O/O2M pairs are surfaced bidirectionally in the data model. M2A is the key differentiator, enabling one field to reference items from any number of collections by storing collection name + item ID in the junction. This is fully queryable from both sides and is the foundation of block-based page building.

Block-based composition is achieved via M2A relationships — create block-type collections (hero, text, CTA, etc.) and an M2A field on the page collection. Repeater fields handle simple inline sub-object arrays. Community extension `directus-extension-flexible-editor` integrates Tiptap with M2A relation nodes for embedded structured blocks within rich text. Prevents a higher score: nested repeaters (repeater-in-repeater) are not natively supported; the block system requires developer setup.

Built-in validations include required, unique, regex (with custom error messages), min/max for numeric and text, and conditional validation — field-level conditions that change required/validation rules based on the values of other fields in the same item. Validations fire on create/update via the app or API. Custom validation beyond regex is possible via Flows (event-driven automations) or custom API extension hooks. Conditional cross-field validation is a genuine strength that pushes this into the 70+ range.

Named content versions since v10.7; v11.16 (2025) added global draft versions per collection — every versioning-enabled collection automatically gets a draft version per item, no manual setup. Granular revision history with diff highlighting shows exactly what changed between revisions. Promote-to-main workflow for publishing. Live preview integrates with `{{$version}}` URL param to preview any specific version. Scheduled publishing via Flows/CRON. No formal Git-style content branching (staging vs. production at the environment level) limits the score.

Directus has a dedicated Visual Editor module (not merely a preview pane) that uses `@directus/visual-editing` JS library on the frontend to expose editable regions — editors click elements on the live site and edit them in-context. v11.15 added an AI Assistant sidebar within the Visual Editor. However, the core editing experience remains form-based in the Data Studio; the Visual Editor adds a click-to-edit overlay mapping frontend elements to form fields. No native drag-and-drop page layout management — block reordering requires the M2A block pattern with developer setup.

Native built-in editors (WYSIWYG and Markdown interfaces) output HTML string and Markdown string respectively — neither outputs a portable AST. The community-maintained `directus-extension-flexible-editor` (Tiptap) outputs ProseMirror JSON AST with embedded M2A relation nodes, enabling structured/portable output. Because AST output requires a third-party extension not bundled in core, the native experience scores in the 55–70 adequate range, and the lack of native AST output prevents a higher score.

Directus wraps the Sharp library for on-the-fly image transforms via URL parameters — resize, crop, format conversion, quality, blur, and more. WebP and AVIF both natively supported (`?format=webp`, `?format=avif`). Focal point stored per file (`focal_point_x/y`) and applied automatically during crop. Transformation presets definable by admins and referenced by name. Folder organization, metadata, alt text, tags. The gap to 80+ is the absence of a built-in managed CDN (transforms are cached externally) and no native DAM-level features like rights management.

Native real-time collaborative editing landed in v11.15 (2025), promoted from a community extension to core. Multiple users can edit the same record simultaneously; field-level locking prevents last-write-wins conflicts; presence indicators show user avatars in the item header and next to specific fields being edited. WebSocket-backed with Redis for multi-instance deployments. Enabled by default via `WEBSOCKETS_COLLAB_ENABLED=true`. Falls just short of 80+ because field-level locking (not true simultaneous per-character co-editing like Google Docs) and this is still relatively new in production.

Workflows are constructed from status fields + Flows (event-driven automations) + role-based permissions that restrict state transitions. Multi-stage approval is achievable: writers submit, a Flow notifies reviewers, permissions block publishing until approved. Manual Flow triggers with confirmation modals collect additional input at workflow steps. Functional but requires significant configuration effort; no visual BPMN-style workflow designer. Not as turnkey as purpose-built workflow systems in enterprise CMSes like Contentful or Sitecore.

Both REST and GraphQL are first-class citizens, auto-generated from the data model — neither is secondary. REST filter syntax supports logical operators (`_and`, `_or`, `_not`), deep filtering on relations, aggregation, field selection, sorting, and limit/offset pagination. GraphQL supports the same with subscriptions via WebSockets for real-time data. Official TypeScript-first SDK (`@directus/sdk`) with composables for `rest()`, `graphql()`, and `realtime()`. Native MCP support added in v11.13 for AI agent integration.

Directus has no built-in managed CDN. Directus Cloud (managed hosting) does not include a bundled CDN layer. The recommended pattern is placing Cloudflare, Fastly, or similar in front of Directus to cache asset transform URLs and API responses — Directus emits correct `Cache-Control` headers for this purpose. Server-side data caching (Redis or in-memory) reduces origin load. CDN cache invalidation on publish requires wiring a Flow to call an external CDN purge API; there is no built-in integration. Per open-source scoring guidance, absence of built-in CDN is the baseline.

Flows-based webhook system covers a broad event set: item create/update/delete (filter and action hooks), file upload, user login, manual trigger, CRON schedule, and incoming webhook (to receive external webhooks). Filter hooks are blocking (can transform/reject); action hooks are fire-and-forget. Conditional dispatch via Flow condition operations. Key gaps: no native HMAC signing on outgoing payloads (requires custom extension) and no built-in retry logic for failed webhook deliveries. These gaps cap the score in the 55–65 range.

Directus is database-first and API-first — all content is accessible via REST and GraphQL with no coupled frontend. Official `@directus/sdk` is TypeScript-first, isomorphic (Node + browser), modular, and supports REST, GraphQL, and real-time WebSocket subscriptions. Official starters and tutorials exist for Next.js, Nuxt, SvelteKit, Astro, and React Native. Community SDKs for Python, Go, Dart/Flutter, and PHP exist but are not officially maintained. Built-in multilingual translations pattern. Score held below 80 because the official SDK covers only JS/TS natively and rich text output is HTML/Markdown (not AST) in core.

Directus has no native audience segmentation engine. The platform's own blog post ('Is Your CMS Ready for AI & Personalization?') explicitly frames Directus as the infrastructure layer where segment metadata can be stored, not as the segmentation engine itself. All targeting logic must live in the delivery layer. No official CDP integrations documented.

Directus can store content variants as separate items with metadata fields for targeting rules, but there is no native variant-serving mechanism, in-editor preview per audience, or decision engine. Personalization requires a fully external implementation (edge function, CDN logic, or third-party tool). No official first-party personalization integrations exist.

No native A/B or multivariate testing capability. Directus is a content repository only; experimentation logic, traffic allocation, and results reporting all require fully external tools. No documented integration with Optimizely Web, LaunchDarkly, or similar platforms.

No algorithmic content recommendation engine exists in Directus. The platform provides no ML-based, collaborative filtering, or weighted editorial recommendation layer. Manual content curation is possible via editorial tooling but there is no algorithmic support whatsoever.

Directus provides a basic `?search=` query parameter that performs case-insensitive LIKE queries across string fields. There is no relevance ranking, typo tolerance, faceting, autocomplete, or semantic matching. This is filter-level search at best, not a search engine.

In April 2025, Directus added official Algolia and Elasticsearch Operations to the Directus Marketplace, enabling Flows (the automation engine) to create, update, delete, and search records in both platforms natively without custom code. The community extension `directus-extension-searchsync` has long supported both engines. This is now a first-class integration path.

No native vector search, embedding generation, or semantic similarity features. Directus's MCP support and AI Assistant do not include a vector search layer. Implementing semantic search would require a fully custom external stack (e.g., pgvector + custom Flows) with no turnkey solution offered.

Directus has no native commerce module — no product catalog, cart, pricing, inventory, or order management. This is by explicit design. GitHub discussion #16778 confirms that commerce logic is intentionally deferred to dedicated commerce platforms.

No official pre-built connectors to Shopify, commercetools, or BigCommerce. Directus has a documented 'Built With Directus' PIM showcase for Shopify showing an architecture pattern, and Pipedream supports a Directus↔Shopify automation pair. These are architecture references, not bundled connectors with product picker UIs or live data federation.

Directus's flexible schema builder handles product-specific field patterns well — rich text, images (via File Library), relational attributes, translations, and variant structures are all native. Multiple 'Built With Directus' showcases demonstrate fashion/e-commerce PIM architectures. This is a generic content model repurposed for products rather than a product-specific content type system.

Directus Insights provides customizable dashboards over data stored in the Directus database — this is data visualization of your own content data, not content performance analytics. There is no tracking of consumer page views, engagement, or content health. A community Marketplace extension adds API activity and storage usage metrics. No content performance loop exists.

No official GA4, Segment, or Amplitude integrations. Directus Flows (the automation engine) can emit webhooks on content operations, enabling custom integrations. Pipedream supports a Google Analytics↔Directus pair. The typical pattern is instrumenting analytics in the frontend consuming the Directus API. This is webhook-based custom integration only, not an official documented analytics connector.

No native content intelligence — no SEO scoring, content gap analysis, topic clustering, or performance-driven recommendations. Directus has basic tagging/classification via relational fields. AI extensions (AI Writer, data analysis operations in Flows) could theoretically power content analysis workflows but there is no turnkey content intelligence feature.

Multi-site is achievable via a single Directus instance with RBAC and row-level permissions (dynamic variables scope data per site/brand). A Directus TV episode ('Mission: Multisite CMS') documents the architecture pattern. However, there is no dedicated multi-site UI module, no shared component library tooling, and no centralized governance dashboard — this is a DIY RBAC pattern, not a native multi-site product.

Directus provides native field-level translations via a Translations relational field that auto-generates junction tables per collection. All locales are managed within a single item view; editors can work on individual locales without affecting others. The admin UI itself supports 55 languages. ISO locale codes are supported throughout. This is a first-class field-level localization architecture.

Crowdin has an official first-party integration with documented tutorial and Crowdin Marketplace app for auto-syncing source strings and translations. Localazy also has an official plugin. However, Phrase (Memsource), Smartling, and Lokalise have no official first-party integrations — those require custom Flows/webhooks. Two official TMS integrations is solid for a tier-2 open source platform.

Multi-brand management is handled through Directus RBAC — roles per brand, row-level permissions, custom access policies. There is no dedicated brand governance module, no cross-brand approval workflow tooling, and no global style/policy enforcement dashboard. Organization-level management without cross-brand policy enforcement.

Directus AI Assistant went GA in v11.15 (late 2025) with multi-provider support (OpenAI, Anthropic, Google Gemini, Ollama-compatible). It is content-aware — editors can attach content items and predefined prompts; the Visual Editor has a dedicated AI sidebar. The AI Writer Marketplace extension adds text generation, SEO descriptions, length adjustment, and grammar fixing. More than basic text generation but lacks formal brand voice controls or advanced field-type-specific prompting.

Multiple AI workflow capabilities exist: AI Transcription (Deepgram), AI Text Translation (DeepL, 30+ languages), AI Image Generation (DALL-E), and data analysis operations in Automate (Flows). MCP support (v11.13) enables AI agents to operate on Directus content with full permissions. However, there is no turnkey auto-tagging, smart scheduling, or metadata generation UI — these require custom Flows configuration.

The strongest governance layer is MCP: all AI actions go through Directus's existing auth/permissions system and are fully logged, providing an audit trail for AI operations. However, there are no dedicated AI content moderation features, hallucination detection, brand safety controls, confidence scoring, or prompt governance tooling. The MCP logging provides accountability but not safety controls.

Directus provides both REST and GraphQL APIs with documented behavior parity — a single query can retrieve multiple related data points via either protocol. The API reference at directus.io/docs/api is comprehensive, with examples across REST, GraphQL, and SDK in every endpoint section. No notable gaps in pagination, filtering, or error handling documentation. Slightly below 85 because GraphQL is a secondary interface; the REST API is the primary design target.

Directus Cloud is backed by AWS with Redis-based distributed caching and CDN asset delivery. However, public documentation on specific rate limits, API call-per-second ceilings, or documented scale limits for entries is sparse. Self-hosted deployments inherit whatever infrastructure the user configures. Adequate for most workloads but lacks the explicit performance guarantees that tier-1 SaaS CMSes publish.

The official @directus/sdk on npm is TypeScript-first, modular, and dependency-free with strong type safety. Beyond JavaScript/TypeScript, all other language SDKs (Python, PHP, Go) are community-maintained, not official. This limits the score to the 50–55 range — one excellent official SDK but no multi-language official coverage.

Directus has a Marketplace at directus.io/extensions with a growing set of extensions including AI-powered tools, computed fields, and UI enhancements. However, it skews toward UI/workflow extensions rather than pre-built integrations to analytics, commerce, DAM, or translation services. The ecosystem is smaller than enterprise SaaS CMS marketplaces and major category gaps exist for commerce and DAM.

Directus has a comprehensive extension system covering custom API endpoints, server-side hooks (on database events, schedules, lifecycle), App Extensions (interfaces, displays, panels, modules, layouts), and Flows (low-code automation pipelines). The CLI scaffolds all extension types and the Marketplace allows publishing. This is a first-class App Framework, not just webhook-based extensibility.

Directus supports SSO via OIDC and SAML 2.0, MFA, API token management, and OAuth for integrations. SSO configuration is available but appears to require Enterprise or higher cloud tiers, creating friction for smaller teams. Self-hosted users can configure any SSO provider freely. MFA is supported natively. Score reflects functional SSO but likely enterprise-gated on cloud.

Directus v11 introduced a Policy-based additive permissions system on top of its existing RBAC. Permissions are scoped to collection + item + field level with custom filter rules for both read and write access, content-instance-level access control (see only records you own), and default value injection. Field-level permissions with different allowed fields per action make this one of the most granular permission models in the open-source CMS space.

Directus Cloud achieved SOC 2 Type II certification in July 2025. GDPR compliance is documented and cloud infrastructure providers (AWS) hold ISO 27001 and SOC 2 Type II. EU data residency is not explicitly advertised. No HIPAA BAA offering found. This places Directus in the SOC 2 Type II + GDPR tier without ISO 27001 directly from Directus or HIPAA.

Directus maintains a dedicated security page at directus.io/security and a Trust Center at trust.directus.io powered by SafeBase. No major breach history found in public records. Responsible disclosure policy is documented. No public bug bounty program identified (HackerOne/Bugcrowd listing not found). Clean history with adequate disclosure scores in the 65–68 range.

Directus is open-source with official Docker images on Docker Hub and GitHub Container Registry, enabling full self-hosted deployments on any infrastructure. Directus Cloud (managed SaaS on AWS) is also available. This both/either flexibility is the maximum deployment optionality and scores at the top of the 70–80 range. Private cloud deployment is straightforward given the Docker-first architecture.

Enterprise cloud customers receive a minimum 99.9% uptime SLA; self-service cloud customers receive no SLA guarantee. A public status page exists at status.directus.cloud with 90-day uptime history. For self-hosted deployments, there is no vendor SLA by definition. The split between enterprise SLA and no SLA for standard cloud tiers caps the score in the 60-range.

Directus Cloud uses AWS with multiple availability zones, Redis distributed caching, and horizontal scaling. The platform imposes no hard limits on users, collections, or data volume as stated in enterprise documentation. However, explicit documented benchmarks, API call-per-second ceilings, or published enterprise reference customers at hyperscale are not publicly available. Suitable for large deployments but enterprise-scale proof points are not well publicized.

Directus Cloud offers automated backups documented at directus.io/docs/cloud/projects/backups. Self-hosted deployments can use S3-compatible automated backups. Schema snapshot and schema apply commands enable schema version control and environment promotion. However, no public RTO/RPO documentation found for Cloud, and multi-region failover details are not advertised outside Enterprise tier discussions.

Directus runs fully locally via Docker Compose with official images — developers get a complete instance including the Data Studio and API locally. The extension CLI scaffolds all extension types. Documentation at docs.directus.io/contributing/running-locally covers local setup. The historical complaint about no file-watcher for custom endpoints has partially been addressed by the extension scaffolding system.

Directus supports schema snapshot (export) and schema apply (import) for promoting schema changes across environments, enabling schema-as-code in CI/CD pipelines. Multiple environment setups (dev/staging/prod) are documented. GitHub Actions integration is used in the platform's own build pipeline. However, branch-per-PR content environments and automated migration rollback tooling are not natively supported — this is more basic than competitors like Contentful or Storyblok.

docs.directus.io is comprehensive and well-structured with guides for using the REST API, GraphQL API, and SDK with code examples across all three in each section. Getting-started guides, extension development documentation, and framework-specific integration guides are available. The documentation is actively maintained alongside the open-source codebase. No interactive playground found, which keeps it below 80.

The official @directus/sdk is TypeScript-first with comprehensive type definitions covering the full API surface and IDE IntelliSense support. Type generation from the Directus schema is available via community tools (directus-typescript-gen) but not a first-party code generation CLI. The lack of official first-party type generation from the content model caps this below 80.

Directus ships approximately weekly (minor + patch combined), with consistent monthly minor feature releases throughout all of 2025 into 2026. v11.16.1 is the current version as of March 2026, with notable feature drops every 4–6 weeks (v11.15 in Jan 2026 adding collaborative editing and LLM support; v11.16 in Dec 2025 adding Global Draft Versions and Multimodal AI). Release interval averages ~1.5 weeks. Not higher because no LTS/major version cycle is evident.

Directus maintains both a structured docs changelog and monthly blog recaps with video summaries. Breaking changes are tracked per release. The changelog at directus.io/docs/releases/changelog is organized by version and distinguishes improvements from breaking changes. Not scoring higher because migration tooling (codemods) is not prominently documented.

Directus operates a public roadmap at roadmap.directus.io using Productlane, with community feedback capability. The roadmap was praised publicly in GitHub Discussions (#14248), confirming it is community-facing and interactive. Not scoring higher because it is a single public roadmap view without granular milestone dates or community voting weight visible.

Directus follows semver and documents breaking changes per release in the structured changelog. The v11 series was a significant major version with migration guidance published. However, there is limited evidence of formal 12+ month deprecation windows or automated codemods — the platform is still in active v11 development rather than a mature LTS cycle. Appropriate for an active open-source project at this stage.

Directus has ~34,200 GitHub stars (consistent across sources), 13,293 Discord members, 18M+ total npm downloads, and an active Discourse forum at community.directus.io. This places it solidly in the 20K+ star tier warranting 75+, tempered slightly by Discord size being moderate and npm monthly downloads (~15K core) being modest. Overall strong open-source community footprint for its tier.

The Directus community shows active engagement via monthly changelog discussions, Discord activity, and a Discourse forum. The Productlane roadmap enables ongoing community input. Core team members participate in public channels. Not scoring higher due to lack of specific data on issue response times or answered/unanswered GitHub issue ratios.

Directus launched a formal partner program with agency certification, a public agency directory at directus.io/agency-directory, revenue sharing for referrals, and exclusive training access. This is more structured than most open-source CMSes at this tier. However, no major global SIs (Accenture, Deloitte, Valtech) are listed, and the total certified partner count appears modest.

Directus has a reasonable ecosystem of tutorials, YouTube videos, and community blog posts driven by its 34k GitHub star visibility. Monthly official changelog video recaps supplement third-party content. Content volume is healthy for a developer-focused open-source tool but does not reach the density of Strapi or major SaaS CMS platforms with dedicated course ecosystems on Udemy/Pluralsight.

Directus is recognizable in the developer community via its GitHub presence (34k stars) and npm ecosystem, but it does not appear in Stack Overflow Developer Survey results or major analyst reports. The partner certification program adds some formal credential pathway. Job postings mentioning Directus exist but at lower volume than Strapi or Contentful.

Directus shows momentum through consistent feature releases, a new commercial cloud model launch (November 2025 cloud tiers update), and an active partner program rollout. However, there are no recent major enterprise logo announcements or published case studies at the scale of tier-1 platforms. The pivot toward a commercial SaaS cloud offering is a positive momentum signal.

Directus raised $19.5M total (Seed + $7M Series A in Nov 2022 led by True Ventures). No new funding rounds or acquisitions announced in 2025–2026. The company has ~46 employees and is pivoting to a commercial cloud model, suggesting revenue-focused sustainability rather than VC-fueled growth. Stable but modest — the $7M Series A is relatively small and there has been no growth round in over 3 years.

Directus has a clear developer-centric positioning as an open-source headless CMS and data platform that connects to any SQL database. Its differentiation — database-first architecture, self-hostable, no vendor lock-in — is defensible and clearly communicated. However, it lacks analyst recognition (no Gartner MQ, Forrester Wave, or IDC coverage) and faces intense competition in the open-source headless space from Strapi and Payload.

Directus holds a G2 rating of 4.9/5 — exceptional — but with only ~50 reviews, which limits confidence relative to larger platforms. Capterra shows 4.5/5 across ~60 reviews with strong value-for-money scores. User praise centers on flexibility, open-source model, and developer experience. Review counts are modest due to developer-tool positioning (developers review less frequently than marketers). Score reflects the exceptional rating balanced against limited volume.

Directus Cloud Professional is published at $99/month (annual); Enterprise is custom/contact sales. Self-hosted is free for orgs under $5M total annual finances, but the Production License (for $5M+ orgs) has no published rate — sales-gated. Two of the four pricing paths require a sales call, reducing transparency for the broadest buyer segment (growth-stage companies).

Cloud Professional is a flat monthly/annual fee with clear included limits — a predictable model. However, usage is hard-capped (not metered), meaning the API stops accepting writes at 75K entries rather than charging overages. The $5M funding-trigger threshold for self-hosted licensing creates unpredictability for VC-backed startups. Community reports of a ~20x cloud price increase between 2022 and 2025 raise concerns about long-term pricing stability.

Directus maintains full feature parity across self-hosted tiers — no features are locked behind paid tiers. Cloud Professional vs. Enterprise differentiates on infrastructure (dedicated vs. shared) and support level, not features. SSO, custom roles, audit logs, and security features are not gated. This is a notably buyer-friendly model relative to most CMS platforms.

Cloud Professional requires annual billing with no clearly published monthly option. The self-hosted path is free under $5M with no contract, which is flexible for most users. However, orgs above the $5M threshold must negotiate an enterprise license with no published rates or published exit provisions. No startup discount program or nonprofit pricing is documented.

There is no free cloud tier — Professional starts at $99/month. However, self-hosted is genuinely free for any organization with under $5M in total annual finances (revenue + funding), covering freelancers, startups, agencies, and most SMBs. The free self-hosted path allows full commercial use and all features. The catch: requires technical setup (Docker, PostgreSQL, Redis) and the $5M threshold snares VC-backed startups that may be pre-revenue.

Directus Cloud provisions a project in ~90 seconds and allows a first API call within minutes — excellent time-to-value for cloud users. Local Docker setup is functional in under 30 minutes for developers experienced with Docker/Postgres. Production self-hosted deployment (with Redis, backups, and scaling) takes 1–3 days. The SDK is a standard npm package with no proprietary patterns. Cloud path comfortably reaches the < 1 hour threshold.

Community reports indicate standard web project timelines — days to weeks for a typical project — with no unusual overhead attributed to Directus specifically. The data modeling and API auto-generation approach reduces custom backend development time significantly. No sustained community complaints about unexpectedly long implementation timelines. Comparable to other headless CMS platforms in this tier.

Directus uses entirely mainstream technologies: Node.js, TypeScript, Vue.js, standard SQL, REST, and GraphQL. No proprietary DSL, query language, or certification program exists. Any competent full-stack TypeScript developer can work effectively with Directus after a brief familiarization period. Extensions use Vue.js, which is broadly available. The cost premium over a generalist Node.js developer is minimal.

Cloud Professional at $99/month includes all infrastructure — no additional hosting costs. However, most buyers choosing Directus for cost reasons will self-host, which requires PostgreSQL, Redis, and a container host. Typical infrastructure costs on AWS/GCP/Azure run $30–150/month for a production-grade setup. Redis is not optional at production scale, adding operational overhead and cost. The self-hosted path adds meaningful infrastructure cost beyond the license.

Directus Cloud is fully managed with near-zero ops overhead. Self-hosted deployments require meaningful operational expertise: Docker container management, PostgreSQL administration, Redis operation, regular version upgrades, and backup configuration. The official docs explicitly state 'experience running and scaling Docker containers' is required. For the majority of Directus users who self-host for cost reasons, 0.25–0.5 FTE of ongoing ops effort is a realistic expectation.

Directus has exceptionally low vendor lock-in by design. The platform wraps your existing SQL database — data lives in standard PostgreSQL/MySQL tables in schemas you define. Removing Directus leaves your data intact in a standard RDBMS. Schema can be snapshotted and migrated via `/schema/snapshot` and `/schema/apply` API endpoints. File assets are stored in any S3-compatible storage or local filesystem. Cloud-to-self-hosted migration is officially supported with no artificial barriers.

Directus maps closely to standard web development concepts: collections = database tables, fields = columns, items = rows, roles = access control. The 'data engine' metaphor is clear, and REST/GraphQL exposure is automatic. Slight complexity arises from understanding system vs. user collections and how Directus's abstraction layer sits above the raw database schema — not disqualifying but requires some adjustment for developers coming from pure SaaS CMS backgrounds.

Directus has a structured quickstart guide, dedicated tutorials section, and a getting-started pathway. February 2025 changelog noted focused improvements to developer onboarding experience, and a CLI tool for project initialization entered beta. No formal certification program or in-app guided tours. Solid docs without the interactive onboarding depth of Contentful or Sanity.

Directus exposes standard REST and GraphQL APIs with no proprietary query language. The official JavaScript/TypeScript SDK handles auth, collection access, and type generation. Works with any frontend — Next.js, Nuxt, Astro, SvelteKit all have first-class starters. No proprietary templating layer or custom rendering engine. Backend is Node.js, which is universally familiar.

The official `directus-labs/starters` repository provides starters for Next.js, Nuxt, Astro, and SvelteKit. The `directus-template-cli` supports init commands like `npx directus-template-cli@latest init --frontend=nextjs --template=cms`. Starters include content model setup and example content. Quality is good but not as polished or actively maintained as Sanity's or Contentful's starter ecosystem — community starters fill some gaps.

Self-hosted Directus requires a .env file with DATABASE_CLIENT + connection vars (4–6 DB vars or a connection string), SECRET, ADMIN_EMAIL, and ADMIN_PASSWORD — typically 6–10 env vars for a production-ready setup plus optional storage provider config. Directus Cloud eliminates most of this. Config is well-documented with clear defaults, but the self-hosted surface is moderate. Falls in the 55–70 range for typical deployments.

Directus wraps your own database, so schema changes operate at the DB level without proprietary field count limits. Dedicated schema migration endpoints enable environment promotion (dev → staging → production) with diff and dry-run previews (enhanced in March 2025). Renaming or changing field types carries standard database-level risk but Directus provides tooling to inspect and preview changes before applying. Better migration story than Strapi.

Directus supports live preview — editors can preview content changes alongside their site before publishing. However, this requires frontend code to implement a preview handler and Directus-side preview URL configuration. Not plug-and-play; similar in effort to Strapi's preview setup. The February 2025 improvements specifically called out 'smooth live preview' as a focus area, suggesting it had been a pain point. Visual editing is not natively available.

Generalist TypeScript/JavaScript developers can be fully productive with Directus — no proprietary certification exists or is needed. Standard REST/GraphQL consumption skills apply. Some Directus-specific knowledge is helpful for Flows (event-driven automations), custom extensions, and the Hooks/Operations system, but these are optional and the API surface follows conventional patterns. Self-hosting adds mild DevOps knowledge requirements.

A solo developer can realistically build and deploy a production Directus project. Directus Cloud removes infrastructure concerns entirely; self-hosted Docker Compose deployments are well-documented one-file setups. The Data Studio admin, auto-generated APIs, and permission system mean one developer can handle content modeling, API setup, auth, and frontend integration. No specialized ops or solution architect role required.

The Data Studio admin UI is polished and non-technical users can manage content, upload assets, and handle editorial workflows without developer involvement. Role-based permissions allow editors to be scoped appropriately. However, creating new collections, adding fields, or modifying data models still requires developer access. Flows and automations are developer-configured. Cross-functional operational friction is lower than traditional DXPs but higher than Storyblok or Contentful's fully self-service editor experience.

Directus explicitly does not follow semantic versioning — any release may introduce breaking changes. The v10→v11 migration required significant effort: full access-control overhaul (permissions moved to a new 'policies' model), SendGrid SMTP reconfiguration, and extension API migrations. The echobind upgrade guide illustrates the real complexity teams face. Cloud users get version-managed upgrades (directus.io/docs/cloud/projects/version-upgrades), softening the blow, but self-hosted instances remain fully manual.

CVE-2025-55746 (CVSS 9.3) — unauthenticated file upload and RCE — affected all versions from 10.8.0 up to 11.9.3; Belgium's Centre for Cybersecurity issued a public advisory. Additional CVE-2025-53887 exposed version numbers unauthenticated. Directus released patches promptly, but self-hosted operators must manually apply each version upgrade to receive the fix, adding friction and exploitability window.

The v10→v11 upgrade forced a complete access-control schema migration (roles→policies), breaking all existing permission configurations, plus SendGrid and extension API changes. Non-semver policy means forced changes can appear in any release without a major version bump. Breaking changes are well-documented on a dedicated page, which limits surprise, but the migration burden is real and recurring.

Self-hosted Directus requires Docker, a supported database (MySQL, PostgreSQL, SQLite, MS SQL, Oracle), and optionally Redis and a cloud storage backend. Docker containers simplify the runtime surface, but DB, cache, and storage must still be managed and kept current independently. Compared to Drupal's LAMP stack or AEM's JVM ecosystem this is moderate, not minimal.

Directus provides a /server/health endpoint and a basic system-status check in the admin UI, but no native APM or infrastructure monitoring. A GitHub discussion (2021, still referenced) shows users building custom monitoring externally. The official docs recommend implementing a monitoring system, automated backups, and alerting externally — meaning customers carry the full monitoring setup burden for self-hosted instances.

Directus offers a customizable Insights dashboard for data visualizations, built-in audit trail, and role-based approval workflows, which reduce manual content governance overhead. However, dedicated content-hygiene automation — orphan detection, broken-reference alerts, content-expiry workflows — is absent out-of-the-box and must be built as custom extensions or dashboard panels. Content health relies heavily on editorial discipline.

Self-hosted deployments require customers to configure Redis caching, set up a CDN, tune database queries, and operate a load balancer for HA — all documented as customer responsibilities. Directus Cloud handles CDN and infrastructure scaling, reducing burden significantly for that tier. The dual-hosting model means scores vary widely by deployment type; self-hosted (the dominant use case) carries substantial performance management effort.

Open-source (self-hosted, unlicensed) users have no formal SLA and rely on community channels. Enterprise Cloud includes basic support with SLAs; Premium support (24/7 critical + dedicated CSM) is an add-on. G2 reviewers on Enterprise plans praise responsiveness, but meaningful SLA-backed support is locked behind paid tiers. Mid-tier support is serviceable but not exceptional.

Directus maintains an active Discord/community platform and GitHub Discussions with strong team participation. Monthly update blog posts (e.g., January 2025 release notes) indicate ongoing engagement. G2 reviewers consistently highlight responsive community Slack/Discord as a strength. GitHub issue board is actively triaged with team review. Community quality compares favorably to other open-source peers at this tier.

Directus maintains a regular monthly release cadence with changelog. CVE-2025-55746 (CVSS 9.3) was patched in version 11.9.3 after disclosure, demonstrating responsiveness to critical security issues. GitHub issue board is actively reviewed per documented bug triage process. Non-semver releases bundle patches into regular version bumps rather than hotfix branches, which is adequate but not rapid-patch model.

Directus is a headless CMS — there is no native visual page builder or drag-and-drop layout tool. Marketers can edit existing content fields but every new page layout or component requires developer involvement. The directus-labs 'Building Landing Pages with AI' content and the AOK Bayern showcase both require custom frontend setup. No low-code page builder exists.

No native campaign management, content calendar, or multi-channel coordination tools. Directus Flows can automate scheduled email sends and audience segmentation, making it slightly above baseline, but there is no campaign lifecycle, analytics integration, or publish/archive workflow. Scores at the low end of the headless CMS range.

No built-in SEO fields, sitemap generation, or redirect management in core Directus. An official first-party SEO plugin (@directus-labs/seo-plugin) provides metadata management and keyphrase analysis, and docs describe manual SEO field creation patterns. Sitemap and redirects require custom extension or external tooling. The plugin lifts this above pure manual, but it is not out-of-box.

No native form builder, CTA management, lead capture, or UTM/conversion tracking in Directus core. All performance marketing tooling must come from the frontend or external integrations. Directus Flows can receive webhooks but provides no marketing analytics layer. Scores at the floor for this item.

Directus's flexible relational data modeling adapts well to product content: multiple documented PIM implementations exist (fashion e-commerce, Shopify PIM) managing SKU-level rich media, variant content, multi-channel taxonomy, and attribute modeling. This is a generic modeling approach repurposed for products, not purpose-built PIM, but real production deployments validate it as a viable option.

No native merchandising features whatsoever — no category management UI, no promotional content scheduling tied to commerce, no cross-sell/upsell tooling, no search result merchandising. Directus is a data platform, not a commerce tool. Any merchandising logic lives entirely in the frontend or commerce platform.

Directus integrates with Shopify as a headless PIM via REST/webhook-based synchronization, consolidating product data across channels. There is a documented tutorial for building an e-commerce platform with Next.js, Stripe, and Directus Automate. No deep API federation or real-time bidirectional sync with commerce platforms; integration is custom-built and API/webhook-level only.

Directus has best-in-class RBAC for a headless CMS: field-level permissions, filter-rule-based row-level access, IP allow-lists, and SSO via OAuth2, OpenID, SAML, and LDAP. Directus v11 introduced a policy-based additive permissions model. This covers department/team scoping, field-level sensitivity, and SSO-backed access needed for intranet scenarios. The main gap is no audience-based content visibility in the frontend layer — that's handled by the consuming application.

Directus offers content revision history, Flows-based approval workflows, and flexible content modeling that can represent knowledge taxonomies. However, there are no purpose-built knowledge lifecycle features — no content expiry/review scheduling, no knowledge-specific search ranking, no archival workflows out of the box. Scores mid-range: better than nothing due to Flows and revisions, but not a knowledge management tool.

Directus does not appear in any intranet comparison and has no native employee experience features — no news feed, employee directory integration, notifications, social features, or personalized dashboards. Directus is not positioned for this use case and building a full employee portal on top of it would require extensive custom frontend development. Scores at the floor.

Directus supports multi-tenancy via row-level tenant_id filtering + RBAC policy scoping, not native separate environments or schemas per tenant. Running separate Directus instances per tenant is possible but unmanaged — there is no built-in orchestration. The proposed Directus Hub (not yet released) aims to add centralized multi-instance management. Current state is functional but manual, placing it in the no-native-isolation tier.

No native cross-tenant or cross-brand content sharing mechanism. In a multi-instance setup, shared global content must be federated via API from a central Directus instance — a workable but entirely custom pattern. Schema Sync extensions exist for propagating schema changes. The proposed Directus Hub would add modular schema/extension deployment but is not yet available.

No native cross-brand governance, centralized approval workflows, or global policy enforcement across multiple Directus instances. The Directus Hub discussion proposes audit trails, schema drift detection, and centralized access management but this is unreleased. Current governance is per-instance only. Scores in the no-cross-brand-governance range.

Open-source self-hosted Directus has near-zero marginal cost per additional brand or tenant — infrastructure cost only. Row-level multi-tenancy on a shared instance adds no licensing cost at all. Even separate-instance deployments scale cheaply on self-hosted infrastructure. Directus Cloud pricing is per-instance but the self-hosted option fundamentally offers best-in-class scale economics for multi-brand scenarios. This is a genuine differentiator vs. SaaS-only competitors.

Directus publishes a Privacy Policy with GDPR rights (erasure, portability, access, rectification) and CCPA rights for California residents. Multiple EU regions (Frankfurt, London, Milan, Paris, Stockholm, Zurich) are available on Professional and Enterprise tiers, explicitly for GDPR compliance. The Trust Center lists sub-processors (AWS, Cloudflare, SendGrid, Northflank, Google). However, no publicly accessible DPA document was found — only a contact at [email protected], suggesting DPA available on request but not self-service.

No HIPAA BAA is offered, and no healthcare-specific documentation was found anywhere in Directus's public compliance materials. The platform does not target healthcare use cases. Self-hosted deployments could theoretically be configured for HIPAA by customers using compliant infrastructure, but Directus provides no BAA or official guidance.

GDPR and CCPA are explicitly addressed in the privacy policy. No FedRAMP, IRAP, C5, PCI-DSS, HITRUST, or UK GDPR IDTA/SCCs were found. The security page references NIST SP 800-53 access control principles and AWS Well-Architected Framework reviews, but these are frameworks adopted rather than certifications held. Regional coverage is narrow.

Directus Cloud achieved SOC 2 Type II certification in July 2025, audited by A-LIGN. The certification covers all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy — the broadest possible scope. Report is available by contacting [email protected]. Applies to Directus Cloud only (not self-hosted). Annual renewal cadence is not explicitly documented, which is the only gap preventing a higher score.

Directus does not hold ISO 27001 certification at the platform level. The security page states that cloud hosting providers (AWS) must be ISO 27001 compliant, and that Directus Cloud 'inherits' AWS compliance — but per scoring rules, cloud provider certifications cannot be attributed to the SaaS platform itself. No ISO 27018 documentation was found.

Beyond SOC 2 Type II, no additional platform-level certifications were found. NIST SP 800-53 access control principles are referenced in the security page, and AWS Well-Architected Framework reviews have been conducted — these represent security framework alignment rather than certifications. No CSA STAR, PCI-DSS, Cyber Essentials, FedRAMP, or IRAP.

Directus Cloud offers broad regional choice: 19 regions on Enterprise (US, EU, APAC, South America, Africa) and 3 on Professional (US N. Virginia, EU Frankfurt, APAC Singapore). EU regions explicitly include Frankfurt, London, Milan, Paris, Stockholm, and Zurich. The documentation frames region selection as being 'to meet local data compliance laws such as GDPR.' However, no contractual residency guarantees were found in public documentation, and the CDN impact on data residency is not addressed.

The Trust Center documents data erasure procedures and the privacy policy supports right-to-erasure for individuals. Automatic daily backups are performed with envelope encryption. The Activity API allows programmatic access to all data. However, no documented post-termination retention period was found, no self-service bulk data export portal exists for Cloud customers, and the erasure mechanism is not fully self-service.

Directus provides an Activity Log capturing all user actions, system events, timestamps, and IP addresses, accessible via the REST and GraphQL APIs (activity endpoint). Filter and search are built in. However, no native SIEM push integration (e.g., Splunk, Datadog) was documented — SIEM integration would require API polling. Log retention period is not documented in public materials.

No documentation of WCAG 2.1 AA compliance for the Directus Data Studio (authoring interface) was found. No ATAG 2.0 conformance statement exists. Directus markets itself as a developer-first data platform and accessibility of the administrative UI is not featured in compliance or product documentation. The absence of any public accessibility commitment for the authoring interface results in a low score.

No VPAT (Voluntary Product Accessibility Template) or ACR (Accessibility Conformance Report) was found for Directus. No Section 508 conformance statement exists. No ATAG 2.0 assessment is published. This is consistent with an open-source developer-tools company that has not yet produced formal procurement-grade accessibility documentation.