Introduction
The EMnify System provides a RESTful API.
Communication with the API is done over HTTP(S) requests with JSON body content and application/json content-type with an authentication token as a requirement for every API call.
All API calls must be made over HTTPS.
The API is defined in detail in the following section, but here are some highlights:
- Lookup values are accessed at the same level as the resource they describe. For example, the URL to retrieve the list of possible statuses of an endpoint is
/api/v1/endpoint/status. - Collection responses are NOT wrapped in an envelope. Instead the result metadata is returned in the header of the response.
- Paging, filtering sorting of large datasets are managed via query parameters of GET command.
- API provides complex error messages capable of reporting a set of errors.
- The API implicitly provides multi-tenancy management. The server limits the visibility of the data and available operations based on the organisation of the user identified by authentication token.
- When associating an existing object(s) to a collection, it is sufficient to provide only the object(s) IDs.
The following service pattern is provided for all major resources:
| Action | URL | Description |
|---|---|---|
GET |
/api/v1/resource |
retrieve resource collection |
POST |
/api/v1/resource |
create resource |
GET |
/api/v1/resource/{id} |
retrieve single resource |
PATCH |
/api/v1/resource/{id} |
update single resource |
DELETE |
/api/v1/resource/{id} |
delete single resource |
PUT |
/api/v1/resource/{id1}/collection/{id2} |
add item with id id2 to a collection of a resource with id id1. |
N.B. The word endpoint, typically used in RESTful API definition has a particular meaning in the EMnify application domain. To avoid confusion, in this documentation, the word endpoint will be used to identify endpoint entity (resource) of the EMnify System domain while the word entrypoint will be used to identify generic RESTful API endpoint.
Securing the API
The API is secured through usage of JSON Web Tokens (JWT) which are an open standard (RFC 7519) for representing claims securely between two parties.
The server generates JWT tokens for accessing the API (further referenced as ‘authentication token’) for users or applications after they present verifiable credentials. Once the credentials are exchanged for an authentication token on the server, the client has to submit it within the HTTP Authorisation header in each subsequent request. The system validates the rights and permissions of the requesting user/application by parsing the token’s content.
The authentication token expires after 240 minutes. Therefore the authentication needs to be performed again to obtain a new authentication token.
If the authentication token is missing, invalid or expired the API returns 401 Unauthorized response status.
If a client tries to access resources that exists, but the client does not have the permissions or the rights to access it, the API returns either 403 Forbidden or 404 Not Found.
These requirements are general and will not be repeated in in the remainder of this API specification.
Connection
All API calls including the authentication must be made over secure socket (SSL).
Server is responding to API request in gzip compressed format with header
Content-Encoding: gzip
Content-Type: application/json
URL format
All API URLs are following a generic structure like
/api/APIVERSION/ENTRYPOINT/{object_id}
e.g.
/api/v1/user/123
Also some resources may provide access to further sub-resources
/api/v1/organisation/123/contact
HTTP verbs
Here is the definition of HTTP verbs used in the API with description and typical responses upon request to collection entrypoint and single resource entrypoint.
| VERB | Description | Collection Response i.e. /sim |
Item Response i.e. /sim/{id} |
|---|---|---|---|
| GET | retrieves a representation of a resource without side-effects (nothing changes on the server) | 200 (OK), list of SIMs. Use pagination, sorting and filtering to navigate big lists. | 200 (OK), single SIM. 404 (Not Found), if ID not found or invalid. |
| HEAD | retrieves just the resource meta-information (headers) e.g. same as GET but without the response body - also without side-effects | TBD | |
| OPTIONS | returns the actions supported for specified the resource - also without side-effects | TBD | |
| POST | creates a resource | 201 (Created), ‘Location’ header with link to /sim/{id} containing new ID. | 404 (Not Found). |
| PUT | (completely) replaces an existing resource | 404 (Not Found) | 200 (OK) or 204 (No Content). 404 (Not Found), if ID not found or invalid. |
| PATCH | partial modification of a resource | 404 (Not Found) | 200 (OK) or 204 (No Content). 404 (Not Found), if ID not found or invalid. |
| DELETE | deletes a resource | 404 (Not Found) | 200 (OK). 404 (Not Found), if ID not found or invalid. |
HTTP Headers
Request Headers
Each HTTP request must have at least the following headers:
-
Content-Type:
application/json -
Accept:
application/json -
Authorization:
Bearer YourAuthenticationToken
Response Headers
The API uses header to transfer meta information about the returned result. The usage varies depending on the operation. The details are available within the specification of particular resource description:
| Header | Description | Example |
|---|---|---|
| Location | [POST] - URL of the created resource | Location: /api/v1/endpoint/123 |
| Link | [GET] Collection - URL of available pages | Link: https://cdn.emnify.net/api/v1/endpoint?per_page=100;rel=”first”, https://cdn.emnify.net/api/v1/endpoint?page=5&per_page=100;rel=”prev”, https://cdn.emnify.net/api/v1/endpoint?page=7&per_page=100;rel=”next”, https://cdn.emnify.net/api/v1/endpoint?page=34&per_page=100;rel=”last” |
| X-Total-Count | [GET] Collection - Total item count | X-Total-Count: 3325 |
| X-Current-Page | [GET] Collection - Current page | X-Current-Page: 6 |
| X-Filter | [GET] Collection - Filter applied criteria | X-Filter: status:1 |
| X-Sort | [GET] Collection - Applied sort criteria | X-Sort: -status |
HTTP Return codes
| CODE | Meaning | Description |
|---|---|---|
| 200 | OK | Response to a successful GET, also used for a POST if it does not result in a creation |
| 201 | Created | Response to a POST that results in a creation, usually will return a Location header pointing to the location of the new resource |
| 204 | No Content | Response to a successful request that is not returning a body |
| 400 | Bad Request | The request is malformed, e.g. the body cannot be parsed |
| 401 | Unauthorized | No or invalid authentication token provided |
| 403 | Forbidden | authentication token is valid, but user has no access permissions to the request resource |
| 404 | Not Found | A non-existent resource is requested |
| 405 | Method Not Allowed | HTTP method being requested is not allowed |
| 409 | Conflict | The request could not be completed due to a conflict with the current state of the resource. |
| 410 | Gone | Indicates that the resource at this end point is no longer available. |
| 415 | Unsupported Media Type | Incorrect content type was provided as part of the request |
| 422 | Unprocessable Entity | Body will return list of validation errors |
| 429 | Too Many Requests | Request is rejected due to rate limiting |