© 2015 X2Engine Inc.

Difference between revisions of "REST API Reference"

From X2Engine
Jump to: navigation, search
(Authentication)
(Authentication)
Line 70: Line 70:
 
In all other cases, to authenticate and access the API using this method, each request must include the <tt>Authorization</tt> header. To compose the header, first combine the username and API key into a single string with a colon, as:
 
In all other cases, to authenticate and access the API using this method, each request must include the <tt>Authorization</tt> header. To compose the header, first combine the username and API key into a single string with a colon, as:
 
   {username}:{userKey}
 
   {username}:{userKey}
Next, obtain the string in Base-64 encoding. For example, <tt>username:password</tt> in base 64 is <tt>dXNlcjpwYXNzd29yZA==</tt>. Thus, the resulting header would look like this:
+
Next, obtain the string in Base-64 encoding. For example, '''<tt>username:password</tt>''' in base 64 is <tt>dXNlcjpwYXNzd29yZA==</tt>. Thus, the resulting header would look like this:
 
   Authorization: Basic dXNlcjpwYXNzd29yZA==
 
   Authorization: Basic dXNlcjpwYXNzd29yZA==
  

Revision as of 21:00, 2 May 2014

X2Engine's second-generation HTTP-based API, available as of version 4.1, is (for the most part) REST-ful, and includes many improvements over the original API.

This article is currently a work in progress.

Introduction

This API within X2Engine, can be accessed via the URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root

 index.php/api2

It also:

  • Exclusively uses JSON for data input and output
  • Tends to use similar URIs for both input and output (distinguishing operations via the request method)
  • Uses a variety of server response codes to distinguish error scenarios in the case of an unsuccessful transaction
  • Uses the "HTTP Basic Auth" method for authentication

For example, to create a contact, one would send a POST request with its body a JSON-encoded attributes list to the URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root

 index.php/api2/Contacts

with the Content-Type header set to application/json, and the request body as (for example):

{"firstName":"John","lastName":"Smith","visibility":1,"email":"johnsmith@example.com"}

If creation of the contact is successful, the server should respond with status code 201 ("Created"), and the response should contain a Location header with the full URL (including protocol) of the newly created contact (in addition to all the attributes of the new contact). If for example the new contact's ID is 123, that URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root would be

 index.php/api2/Contacts/123.json

and a GET request to that URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root would elicit a response from the server whose body contains a JSON-encoded list of attributes.

Access Credentials

To use the API, you will need to obtain X2Engine API credentials, which include a username and an API key. An X2Engine user with administrative privileges can get or set API keys in the Users module administrator. Any user can authenticate via the API by visiting the Update page for any given user.

Explore the API Using Your Web Browser

Once you have API credentials, you can examine the web API using your web browser by making GET requests to locations within index.php/api2 (simply by typing them into your browser's location bar). You can get a nicer view of the data returned by the server by installing a JSON viewing plugin in your web browser. A recommended plugin for this purpose is JSONView, which is available for Firefox and for Google Chrome (it's an unofficial port, but the developer of the API and author of this article uses it).

Example 1: hello, world

Try visiting the following URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root within X2Engine:

 index.php/api2/appInfo.json

Initially you will be prompted to enter the username and password to complete authentication; enter the API key corresponding to the user in the password field. The above URL should respond with a JSON string containing some basic info about the X2Engine application.

Example 2: direct access

You can get the ID of any given account record by going to it inside X2Engine as you normally would and examining the URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root. It should generally look something like this:

 index.php/accounts/32

or:

 index.php/accounts/id/32

In both of the above examples, the primary key value (id) of the record in question is 32. To view it in the API:

 index.php/api2/Accounts/32.json

Note how in the API, the first letter of "Accounts" is capitalized. This is because active record data in the API is accessed not via specifying the module containing the active record class, or to which the class corresponds, but by specifying the actual class name to use when accessing (or querying) data.

Example 3: querying

 index.php/api2/Actions?_order=-id&_limit=3

This will show you the last 3 action records (i.e. emails, call logs, to-do's) created in the system (which the current acting API user has permission to view), in descending order of their primary key values (column "id"). If you have no action records in your system, you should receive an empty array.

Prerequisites for API Applications

When writing an application to interface with X2Engine via the API, it is required or highly recommended that your language/coding environment of choice:

  • Have a JSON parsing and encoding library available
  • Have a library for making HTTP requests which can:
    • Set request headers
    • Parse response headers and read the response status code
    • Natively support requests using HTTP Basic Auth for access
    • Read responses even when the response code is not in the "success" category (2xx)
    • Make POST, PATCH/PUT and DELETE requests
  • Can access the network

Many high-level languages, such as Perl, PHP, Python and Ruby, meet these requirements. The specific usage of these languages is beyond the scope of this article; you will need to refer to the documentation of the library/libraries in use.

It is expected in the near future that a growing number of official API access classes (each in a different programming language) will be available for quick and easy development of API applications.

Authentication

As stated before, the API uses "HTTP Basic" authorization. Many HTTP client libraries will have native methods of setting headers for HTTP basic auth. It is recommended that you use that method for authentication and read the relevant documentation rather than setting headers manually, as that will save time and more likely render successful results sooner.

In all other cases, to authenticate and access the API using this method, each request must include the Authorization header. To compose the header, first combine the username and API key into a single string with a colon, as:

 {username}:{userKey}

Next, obtain the string in Base-64 encoding. For example, username:password in base 64 is dXNlcjpwYXNzd29yZA==. Thus, the resulting header would look like this:

 Authorization: Basic dXNlcjpwYXNzd29yZA==

See also the the Wikipedia article on this topic.

Interpreting Server Responses

HTTP Response Codes

It is important to be able to read and interpret status codes (and for that matter, response headers) because in all success scenarios, the API does not respond with data envelopes. By this it is meant the act of wrapping a data model's attributes inside another array containing metadata about the status of the request. This is in effort to streamline and make more elegant code that handles response data. It is also for consistency's sake. A contacts model accessed as a resource object with name ending with .json is expected to be that contact, and not rather an array with server response info or other metadata.

In general, the meanings of response codes closely or exactly follow the formal definitions as defined in RFC2616, as well as the informal definitions of unconventional status codes (See wikipedia:List of HTTP status codes). The following table lists each of the possible status codes that the API will respond with, the contexts in which they would appear, and what they indicate.

Code Request type or usage scenario Meaning
Success (2XX)
200 GET, PATCH, PUT and when adding tags via POST OK. General success status
201 POST Created. A record was created; see the value of the Location response header for its URL in the API
204 DELETE No content. An action was completed but the server does not need to return any content.
Redirection (3XX)
303 GET, when requesting a relationship record that is not actually associated with the current model See other. The requested resource is somewhere else. The Location header should contain the correct URL to the record.
Client Error (4XX)
400 All request methods/actions Invalid request. General status code for when something is missing, malformed or incorrect in the request headers/body.
401 All request methods/actions. Authentication failure or missing authentication credentials.
403 All request methods/actions. Forbidden. This may be because the user in API authentication does not actually have permission in X2Engine to perform the specified action (i.e. updating/viewing a particular record). In Platinum Edition, this code can also indicate that the IP address of the API client has been blocked.
404 All request methods/actions. Not found, or invalid URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root. It is used whenever a specified record to retrieve directly does not exist, but also as a catch-all for a location that the API was not configured to interpret.
405 All request methods/actions Method not allowed. The URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root is not malformed, but the method of the request being sent to the server is not permitted. An example would be sending a POST request, which is intended for creating new records, to the URI[[wikipedia:Uniform Resource Identifier]]: The part of a URL that identifies the resource on the server to be accessed. In the context of the API, this refers to the relative path within the web server based in the web root of X2Engine, i.e. ''index.php/api2/Contacts/324.json'' as opposed to the full URL, which begins with the protocol (i.e. "http") and might also contain a path relative to the web site's document root of an existing record, or sending a DELETE/POST/PUT request to a "read-only" resource.
408 All methods; server-generated Request timeout. This code is not as of this writing not produced by the API; it might be returned by the web server itself.
413 All methods; server-generated Request entity too large. This code is not as of this writing not produced by the API; it might be returned by the web server itself.
415 PATCH, POST, PUT Unsupported media type. As of this writing, this happens only whenever the request is sent with a body and the Content-Type header is not set to "application/json"
422 PATCH, POST, and PUT to create or update a record Unprocessable entity. This always indicates a validation error when attempting to set fields of and save an active record model.
429 Platinum Edition only; All request methods/actions Too many requests. When rate limiting is enabled in the API settings, the server will use this code to indicate that the API client has been making requests to the API too frequently. When this status is sent, the response should also contain a Retry-After header specifying the number of seconds to wait before trying again.
Server Error (5XX)
500 All request methods/actions Internal server error. General status for when something isn't right on the server. PHP and database errors will produce this status code.
501 All request methods/actions Not implemented. The API should use this code to denote that a given method, action, etc. is not yet available, but may be in the future.
503 Professional and Platinum Editions; All request methods/actions Unavailable. X2Engine and/or its API service has been disabled/locked by an administrator.

Error Stubs

In most error responses produced by the server, the API will also include in the body of the response a JSON with metadata about the response. This is for compatibility with less-than-satisfactory client libraries which cannot read the actual response code or headers, but might be able to read the response body when the code is not in the success (2XX) range. In such cases, the response will be a JSON-encoded object with at least the following properties:

property contents
httpHeaders A dictionary of HTTP headers that were set in the response.
message A general message about what happened and why. This will in most cases also be saved in the API log.
error Boolean true/false if an error occurred.
status The HTTP status code that was sent in the response header