Access to our API is achieved via HTTPS requests to the domain. A combination of API key, URL validation, and roles and permissions are used to determine the validity of each request.

All API requests must use one of the secure https, mqtts, or wss protocols. Devices requiring extra configuration to use TLS should use the certificates available on the Security page.

Authenticating Requests

Every request to our API must (unless otherwise stated) contain a valid API key in the Authorization HTTP header to identify the user or application issuing the request and execute it if authorized.

Here is an example of a request to our API that returns the list of all the Thngs you have created. Note the appropriate use of the Authorization header.

curl -i -H "Accept: application/json" \
  -H "Authorization: $APPLICATION_USER_API_KEY" \
  -X GET ""

As an alternative, instead of sending the API key in the Authorization header, you can simply append ?access_token=$OPERATOR_API_KEY to any URL in the API. This request is equivalent to the one above:

curl -i -H "Accept: application/json" \

For JavaScript developers evrythng.js makes this even easier by only requiring you to initialise a scope object with the right API key:

// User key
const OPERATOR_API_KEY = 'AGiWrH5Ote...';

const operator = new evrythng.Operator(OPERATOR_API_KEY);


Updated 11 months ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.