Requests to fetch data will accept HTTP GET or POST.
The /login endpoint requires POST for security.
HTTPS will be enforced on production nodes.
Times will be passed as unix timestamps in all cases.
Most methods which handle timestamps have the same requirements and validation, which are:
- "from" (required)
- "until" (optional, will default to now if not specified, if specified must be greater than "from")
A session id will automatically be created for any unauthorized request and passed back in the status of the response as "session_id". A cookie will also be set.
An application using the API should pass back the “session_id” parameter in every request and not trust the cookie to work as the app may not be in the same cookie domain as the API.
The API will look for an existing session id on an incoming request in this order:
- An HTTP header called "X-Session-Id"
- A GET or POST parameter called "session_id"
- A cookie called “session_id”
The API can also authenticate to an organization level (not user level) via a token. Auth token are checked after user sessions, so if you pass both, the user-level login will take preference. If you're logged in as a user and you want to use token authentication, log out first.
This should be passed in a request header as: