This page contains information about various security aspects of the EVRYTHNG Platform for developers who are building apps and devices that integrate in a secure way.

API Authentication

All requests to the EVRYTHING API must be authenticated using one of the two types of API keys. Unauthenticated requests are refused.

See Authentication for more information about authenticating requests.

Roles and Permissions

Within an account shared by more than one actor, the visibility and permissions of which resources can be manipulated by each actor are determined by the role they're assigned. Roles are attributed to the account level and can be created only by the account administrator.

Also, you can assign restrictive conditions to actors to manage which resources they can interact with on a more granular level, based on a specific resource attribute.

See Roles and Permissions for more information about using roles to control API access. Read about Restrictive Conditions) to learn how to manage actors' accesses on a resource attribute basis.

Using CORS

To implement an entirely web-based solution (JavaScript client with no server-based app), you must be able to call our APIs located on another domain. To make the work of JavaScript developers easier, we provide support for Cross-Origin Resource Sharing (CORS). CORS allows client-side JavaScript to access our API directly with no need for server-side proxy code. CORS is the preferred standard technique when dealing with the same-origin policy.

Our API implements the full CORS specification, including pre-flight requests. To use it, simply access our API from

CORS in Common Libraries

Most client-side libraries support CORS transparently. The example below is using jQuery to create a Thng directly from a client-side script:

const data = {
  name: 'Fridge',
  description: 'The fridge in the main kitchen',
  location: {
    latitude: 43.772828,
    longitude: 11.249488
  properties: {
    temperature_celsius: 5
  tags: [ 'demo' ]

  type: 'POST',
  contentType: 'application/json',
  data: JSON.stringify(data),
  success: console.log