Security (legacy)

This page contains information on various security aspects of the EVRYTHNG Platform that may concern developers who are building apps and devices that integrate in a secure way.

API Authentication

All requests to the EVRYTHING API must be correctly authenticated using one of the five types of API key. Unauthenticated/incorrectly authenticated requests will be refused. The type of key required depends on the scope and permissions required to perform that action.

See API Key Scopes and Permissions for more information on authenticating requests.

Roles and Permissions

Within an account shared by more than one operator, the visibility and permissions of which resources can be manipulated by each Operator are determined by the role they are assigned. Operator roles are attributed to the account level, and can only be created by the account administrator.

In addition, application users can be assigned Application User roles to manage which resources they can see and interact with on a more granular level.

See Roles and Permissions for more information on using roles to control API access.


Devices communicating with the EVRYTHNG Platform that perform their own security handshake (such as HTTPS, or MQTT over secure WebSockets) should use certificate file provided below:

Checksum: 42067e00939eede422ec6134cc20eeb1aa35a4ebc22fbd632ebb81a5349410d4



All the root certificates in the archive should be included to securely connect to the EVRYTHNG platform.

Using CORS

To implement an entirely web-based solution (Javascript client, without any server-based app), you need to be able to call our APIs located on another domain than the website. To make the life of Javascript developers easier we provide support for CORS allow client-side Javascript to access our API directly with no need for server-side proxy-code. CORS (Cross-Origin Resource Sharing) is the preferred standard technique when dealing with the same-origin policy.

Our API implements the full CORS spec including pre-flight requests. To use it simply access our API from the main domain:

CORS in Common Libraries

Most of client-side libraries support CORS transparently. The example below is using jQuery to create a Thng directly from a client-side script:

const data = {
  name: 'Fridge',
  description: 'The fridge in the main kitchen',
  location: {
    latitude: 43.772828,
    longitude: 11.249488
  properties: {
    temperature_celsius: 5
  tags: [ 'demo' ]

  type: 'POST',
  contentType: 'application/json',
  data: JSON.stringify(data),
  success: console.log