The EMnify System provides a RESTful API. Communication with the API is done over HTTP(S) requests with JSON request body with application/json content-type and an authentication token as a requirement for every API call.

The API is defined in detail in the following section, but here are some highlights:

  • Lookup values are accessed at the same level as the resource they describe. For example, the URL to retrieve the list of possible statuses of an endpoint is /api/v1/endpoint/status.
  • Collection responses are NOT wrapped in an envelope. Instead the result metadata is returned in the header of the response.
  • Paging, filtering sorting of large datasets are managed via query parameters of GET requests.
  • The API provides complex error messages capable of reporting a set of errors.
  • The API implicitly provides multi-tenancy management. The server limits the visibility of the data and available operations based on the organisation of the user identified by authentication token.
  • When associating an existing object(s) to a collection, it is sufficient to provide only the object(s) IDs.

The following service pattern is provided for all major resources:

Action URL Description
GET /api/v1/resource retrieve resource collection
POST /api/v1/resource create resource
GET /api/v1/resource/{id} retrieve single resource
PATCH /api/v1/resource/{id} update single resource
DELETE /api/v1/resource/{id} delete single resource
PUT /api/v1/resource/{id1}/collection/{id2} add sub-resource with id id2 to a collection belonging to a resource with id id1.

N.B. The word endpoint, typically used in RESTful API definitions has a particular meaning in the EMnify application domain. To avoid confusion, the word endpoint will be used in this documentation to identify endpoint entities (resources) of the EMnify System domain while the word entrypoint will be used to identify generic RESTful API endpoints.

Securing the API

The API is secured through usage of JSON Web Tokens (JWT) which are an open standard (RFC 7519) for representing claims securely between two parties.

The server generates JWT tokens for accessing the API (further referenced as ‘authentication token’) for users or applications after they present verifiable credentials. Once the credentials are exchanged for an authentication token on the server, the client has to submit it within the HTTP Authorization header in each subsequent request. The system validates the rights and permissions of the requesting user/application by parsing the token’s content.

The authentication token expires after 240 minutes. Therefore the authentication needs to be performed again to obtain a new authentication token.

If the authentication token is missing, invalid or expired the API returns 401 Unauthorized response status.

If a client tries to access resources that exists, but the client does not have the permissions or the rights to access it, the API returns either 403 Forbidden or 404 Not Found.

These requirements are general and will not be repeated in in the remainder of this API specification.


All API calls including the authentication must be made over secure socket (SSL).

The server responds to API request in gzip compressed format with the following header

Content-Encoding: gzip
Content-Type: application/json

Rate Limiting

The EMnify System REST API has rate limiting enforced at the following values:

  • 2000 requests per IP in a five minute window
  • 100 authentication requests per IP in a five minute window

When this threshold is reached, 429 Too Many Requests will be returned by the system as a response to excessive requests until the average request rate is within the specified limit. The response will also include the Retry-After header, which indicates after how many Milliseconds a user can try requesting again.

Apart from the general API rate limiting, there are also limits configured on specific API paths. The following limits are enforced per organisation:

API path Requests per second Burst requests
GET /api/v1/organisation/{id}/billing/* 10 5
GET /api/v1/stats/* 10 5
GET /api/v1/organisation/{id}/stats/* 10 5
GET /api/v1/sim 10 5
GET /api/v1/organisation/{id}/stats 10 5
GET /api/v1/endpoint 10 5
GET /api/v1/event 10 5
GET /api/v1/sim/{id}/stats/* 10 5
GET /api/v1/endpoint/{id}/connectivity_info 10 5
GET /api/v1/event/alerts_pending 100 50
GET /api/v1/endpoint/stats/* 100 50
GET /api/v1/sim/{id} 100 50
GET /api/v1/service_profile 100 50
GET /api/v1/tariff_profile/* 100 50
GET /api/v1/tariff_profile 100 50
GET /api/v1/service_profile/* 100 50
GET /api/v1/event_deprecated 100 50
GET /api/v1/endpoint/{id} 100 50
GET /api/v1/endpoint/{id}/connectivity 100 50
GET /api/v1/endpoint/{id}/stats/* 100 50

When the limit on any of these paths is exceeded, the system will return 429 Too Many Requests.

API Quota

Every organisation is allowed to make a total of 10,000,000 API requests per month. Once the quota has been used up, the system will return 429 Too Many Requests.

The quota will be reset on the 1st of every month.

URL format

All API URLs are following a generic structure like




Also some resources may provide access to further sub-resources


HTTP verbs

Here is the definition of HTTP verbs used in the API with description and typical responses upon request to collection entrypoint and single resource entrypoint.

VERB Description Collection Response
i.e. /sim
Item Response
i.e. /sim/{id}
GET Retrieve a resource without side-effects (nothing changes on the server) 200 (OK), list of SIMs. Use pagination, sorting and filtering to navigate big lists. 200 (OK), single SIM. 404 (Not Found), if ID not found or invalid.
POST Create a resource 201 (Created), ‘Location’ header with link to /sim/{id} containing new ID. 404 (Not Found).
PUT Assign already-existing sub-resource to a resource. No request body is requested in such calls. 404 (Not Found) 200 (OK) or 204 (No Content). 404 (Not Found), if ID not found or invalid.
PATCH Partially modify a resource 404 (Not Found) 200 (OK) or 204 (No Content). 404 (Not Found), if ID not found or invalid.
DELETE Delete a resource 404 (Not Found) 200 (OK). 404 (Not Found), if ID not found or invalid.

HTTP Headers

Request Headers

Each HTTP request must have at least the following headers:

  • Content-Type: application/json
  • Accept: application/json
  • Authorization: Bearer YourAuthenticationToken

Response Headers

The API uses header to transfer meta information about the returned result. The usage varies depending on the operation. The details are available within the specification of particular resource description:

Header Description Examples
Location [POST] - URL of the created resource Location: /api/v1/endpoint/123
Link [GET] Collection - URL of available pages Link:;rel="first",;rel="prev",;rel="next",;rel="last"
X-Total-Count [GET] Collection - Total item count X-Total-Count: 3325
X-Current-Page [GET] Collection - Current page X-Current-Page: 6
X-Filter [GET] Collection - Filter applied criteria X-Filter: status:1
X-Sort [GET] Collection - Applied sort criteria X-Sort: -status

HTTP Return codes

CODE Meaning Description
200 OK Response to a successful GET, also used for a POST if it does not result in a creation
201 Created Response to a POST that results in a creation, usually will return a Location header pointing to the location of the new resource
204 No Content Response to a successful request that is not returning a body
400 Bad Request The request is malformed, e.g. the body cannot be parsed
401 Unauthorized No or invalid authentication token provided
403 Forbidden authentication token is valid, but user has no access permissions to the request resource
404 Not Found A non-existent resource is requested
405 Method Not Allowed HTTP method being requested is not allowed
409 Conflict The request could not be completed due to a conflict with the current state of the resource.
410 Gone Indicates that the resource at this end point is no longer available.
415 Unsupported Media Type Incorrect content type was provided as part of the request
422 Unprocessable Entity Body will return list of validation errors
429 Too Many Requests Request is rejected due to rate limiting