Authentication (legacy)

Access to our API is achieved via HTTPS requests to the domain. A combination of API key, URL validation, and roles and permissions are used to determine the validity of each request.

All API requests must use one of the secure https, mqtts, or wss protocols. Devices requiring extra configuration to use TLS should use the certificates available on the Security page.

Authenticating Requests

Every request to our API must (unless otherwise stated) contain a valid API key in the Authorization HTTP header to identify the user or application issuing the request and execute it if authorized.

Here is an example of a request to our API that returns the list of all the Thngs you have created. Note the appropriate use of the Authorization header.

curl -i -H "Accept: application/json" \
  -H "Authorization: $APPLICATION_USER_API_KEY" \
  -X GET ""

As an alternative, instead of sending the API key in the Authorization header, you can simply append ?access_token=$APPLICATION_USER_API_KEY to any URL in the API. This request is equivalent to the one above:

curl -i -H "Accept: application/json" \

For JavaScript developers evrythng.js makes this even easier by only requiring you to initialise a scope object with the right API key:

// Truncated key
const APPLICATION_API_KEY = 'AGiWrH5Ote...';

const app = new evrythng.Application(APPLICATION_API_KEY);