An API to deal with the Flexisip server.
The API is available under /api
A content-type and accept HTTP headers are REQUIRED to use the API properly
> GET /api/{endpoint}
> content-type: application/json
> accept: application/json
Restricted endpoints are protected using a DIGEST authentication or an API Key mechanisms.
The endpoints are accessible using three different models:
You can add an Accept-Language header to your request to translate the responses, and especially errors messages, in a specific language.
Currently supported languages: fr, en
> GET /api/{endpoint}
> Accept-Language: fr
> …
< HTTP 422
< {
< "message": "Le champ pseudo est obligatoire.",
< "errors": {
< "username": [
< 0 => "Le champ pseudo est obligatoire."
< ]
< }
< }
You can retrieve an API Key from your account panel or using the dedicated API endpoint.
The generated API Key will be restricted to the IP that generates it and will be destroyed if not used after some times.
You can then use your freshly generated key by adding a new x-api-key header to your API requests:
> GET /api/{endpoint}
> x-api-key: {your-api-key}
> …
Or using a cookie:
> GET /api/{endpoint}
> Cookie: x-api-key={your-api-key}
> …
You can use a JWT token to authenticate on the API.
To do so you MUST inject it as an Authorization: Bearer header and configure the API with the public key of the token emitter.
> GET /api/{endpoint}
> Authorization: Bearer {your-jwt-token}
> …
The API will then check if the token was signed properly, is still valid and authenticate a user that is actually available in the system.
To discover the available hashing algorythm you MUST send an unauthenticated request to one of the restricted endpoints.
Only DIGEST-MD5 and DIGEST-SHA-256 are supported through the authentication layer.
A from (consisting of the user SIP address, prefixed with sip:) header is required to initiate the DIGEST flow.
> GET /api/{restricted-endpoint}
> from: sip:foobar@sip.example.org
> …
< HTTP 401
< content-type: application/json
< www-authenticate: Digest realm=test,qop=auth,algorithm=MD5,nonce="{nonce}",opaque="{opaque}"
< www-authenticate: Digest realm=test,qop=auth,algorithm=SHA-256,nonce="{nonce}",opaque="{opaque}"
You can find more documentation on the related IETF RFC-7616.
GET /pingPublic
Returns pong
An account_creation_request_token is a unique token that can be validated and then used to generate a valid account_creation_token.
POST /account_creation_request_tokensPublic
Create and return an account_creation_request_token that should then be validated to be used.
Manage the list of allowed sip_domains. The admin accounts declared with a domain that is a super sip_domain will become Super Admin.
GET /sip_domainsSuper Admin
Get the list of declared SIP Domains.
GET /sip_domains/{domain}Super Admin
Get a SIP Domain.
POST /sip_domainsSuper Admin
Create a new sip_domain.
JSON parameters:
domain required, the domain to use, must be uniquesuper required, boolean, set the domain as a Super Domaindisable_chat_feature boolean, disable the chat feature, default to false
disable_meetings_feature boolean, disable the meeting feature, default to false
disable_broadcast_feature boolean, disable the broadcast feature, default to true
hide_settings boolean, hide the app settings, default to false
hide_account_settings boolean, disable the account settings, default to false
disable_call_recordings_feature boolean, disable the call recording feature, default to false
only_display_sip_uri_username boolean, hide the SIP uris in the app, default to false
assistant_hide_create_account boolean, disable the account creation assistant, default to false
assistant_disable_qr_code boolean, disable the QR code feature in the assistant, default to false
assistant_hide_third_party_account boolean, disable the call recording feature, default to false
max_account integer, the maximum number of accounts configurable in the app, default to 0 (infinite)PUT /sip_domains/{domain}Super Admin
Update an existing sip_domain.
JSON parameters:
super required, boolean, set the domain as a Super Domaindisable_chat_feature required, booleandisable_meetings_feature required, booleandisable_broadcast_feature required, booleanhide_settings required, booleanhide_account_settings required, booleandisable_call_recordings_feature required, booleanonly_display_sip_uri_username required, booleanassistant_hide_create_account required, booleanassistant_disable_qr_code required, booleanassistant_hide_third_party_account required, booleanmax_account required, integerDELETE /sip_domains/{domain}Super Admin
Delete a domain, be careful, all the related accounts will also be destroyed.
An account_creation_token is a unique token that allow the creation or the validation of a unique account.
POST /account_creation_tokens/send-by-pushPublic
Create and send an account_creation_token using a push notification to the device.
Return 403 if a token was already sent, or if the tokens limit is reached for this device.
Return 503 if the token was not successfully sent.
JSON parameters:
pn_provider the push notification providerpn_param the push notification parameterpn_prid the push notification unique idPOST /account_creation_tokens/using-account-creation-request-tokenPublic
Create an account_creation_token using an account_creation_request_token.
Return an account_creation_token.
Return 404 if the account_creation_request_token provided is not valid or expired otherwise.
JSON parameters:
account_creation_request_token required
POST /account_creation_tokens/consumeUser
Consume an account_creation_token and link it to the authenticated account.
Return an account_creation_token.
Return 404 if the account_creation_token provided is not valid.
JSON parameters:
account_creation_token required
POST /account_creation_tokensAdmin
Create and return an account_creation_token.
POST /accounts/auth_tokenPublic
Generate an auth_token. To attach the generated token to an account see auth_token attachement endpoint.
Return the auth_token object.
GET /accounts/auth_token/{auth_token}/attachUser
Attach a publicly generated authentication token to the currently authenticated account.
Return 404 if the token is non existing or invalid.
POST /accounts/publicDisabled Public Unsecure endpoint
Create an account.
Return 422 if the parameters are invalid.
Send an email with the activation key if email is set, send an SMS otherwise.
JSON parameters:
username required if phone not set, unique username, minimum 6 characterspassword required minimum 6 charactersalgorithm required, values can be SHA-256 or MD5
domain if not set the value is enforced to the default registration domain set in the global configurationemail optional if phone set, an email, set an email to the account, must be unique if ACCOUNT_EMAIL_UNIQUE is set to true
phone required if username not set, optional if email set, a valid phone number, set a phone number to the accountaccount_creation_token the unique account_creation_token
POST /accounts/with-account-creation-tokenPublic
Create an account using an account_creation_token.
Return 422 if the parameters are invalid or if the token is expired.
JSON parameters:
username unique username, minimum 6 characterspassword required minimum 6 charactersalgorithm required, values can be SHA-256 or MD5
account_creation_token the unique account_creation_token
dtmf_protocol optional, values must be sipinfo, sipmessage or rfc2833
GET /accounts/{sip}/infoPublic
Retrieve public information about the account.
Return 404 if the account doesn't exists.
GET /accounts/{phone}/info-by-phoneDisabled Public Unsecure endpoint
Retrieve public information about the account.
Return 404 if the account doesn't exists.
Return phone: true if the returned account has a phone number.
POST /accounts/recover-by-phoneDisabled Public Unsecure endpoint
Send a SMS with a recovery PIN code to the phone number provided.
Return 404 if the account doesn't exists.
Can only be used once, a new recover_key need to be requested to be called again.
JSON parameters:
phone required, the phone number to send the SMS toaccount_creation_token the unique account_creation_token
GET /accounts/{sip}/recover/{recover_key}Disabled Public Unsecure endpoint
Activate the account if the correct recover_key is provided.
The sip parameter can be the default SIP account or the phone based one.
Return the account information (including the hashed password) if valid.
Return 404 if the account doesn't exists.
POST /accounts/{sip}/activate/emailPublic
Use POST /accounts/me/email/request instead.
Activate an account using a secret code received by email.
Return 404 if the account doesn't exists or if the code is incorrect, the validated account otherwise.
JSON parameters:
confirmation_key the confirmation keyPOST /accounts/{sip}/activate/phonePublic
Use POST /accounts/me/phone/request instead.
Activate an account using a pin code received by phone.
Return 404 if the account doesn't exists or if the code is incorrect, the validated account otherwise.
JSON parameters:
confirmation_key the PIN codeGET /accounts/me/api_key/{auth_token}Public
Generate and retrieve a fresh API Key from an auth_token. The auth_token must be attached to an existing account, see auth_token attachement endpoint to do so.
Return 404 if the token is invalid or not attached.
This endpoint is also setting the API Key as a Cookie.
GET /accounts/me/api_keyUser
Generate and retrieve a fresh API Key. This endpoint is also setting the API Key as a Cookie.
GET /accounts/meUser
Retrieve the account information.
GET /accounts/me/services/turnUser
If configured, returns valid TURN credentials following the draft-uberti-behave-turn-rest-00 IEFT Draft.
GET /accounts/me/provisionUser
Provision the account by generating a fresh provisioning_token.
Return the account object.
DELETE /accounts/meUser
Delete the account.
POST /accounts/me/passwordUser
Change the account password.
JSON parameters:
algorithm required, values can be SHA-256 or MD5
old_password required if the password is already set, the old passwordpassword required, the new passwordPOST /accountsAdmin
To create an account directly from the API. If activated is set to false a random generated confirmation_key and provisioning_token will be returned to allow further activation using the public endpoints and provision the account. Check confirmation_key_expires to also set an expiration date on that confirmation_key.
JSON parameters:
username unique username, minimum 6 characterspassword required minimum 6 charactersalgorithm required, values can be SHA-256 or MD5
domain not configurable by default. Only configurable if the admin is a super admin. Otherwise APP_SIP_DOMAIN is used. If the domain is not available in the sip_domains list, it will be created automatically.activated optional, a boolean, set to false by defaultdisplay_name optional, stringemail optional, must be an email, must be unique if ACCOUNT_EMAIL_UNIQUE is set to true
admin optional, a boolean, set to false by default, create an admin accountphone optional, a valid phone number, set a phone number to the accountdtmf_protocol optional, values must be sipinfo, sipmessage or rfc2833
dictionary optional, an associative array attached to the account, see also the related endpoints.confirmation_key_expires optional, a datetime of this format: Y-m-d H:i:s. Only used when activated is not used or false. Enforces an expiration date on the returned confirmation_key. After that datetime public email or phone activation endpoints will return 403.PUT /accounts/{id}Admin
Update an existing account. Ensure to resend all the parameters to not reset them.
JSON parameters:
username unique username, minimum 6 charactersdomain not configurable by default. Only configurable if the admin is a super admin. Otherwise APP_SIP_DOMAIN is used.password required minimum 6 charactersalgorithm required, values can be SHA-256 or MD5
display_name optional, stringemail optional, must be an email, must be unique if ACCOUNT_EMAIL_UNIQUE is set to true
admin optional, a boolean, set to false by defaultphone optional, a valid phone number, set a phone number to the accountdtmf_protocol optional, values must be sipinfo, sipmessage or rfc2833
Using this endpoint you can also set a fresh dictionnary if the parameter is set. The existing dictionary entries will be destroyed.
dictionary optional, an associative array attached to the account, see also the related endpoints.This endpoint also return the current phone_change_code and email_change_code if they are available.
GET /accountsAdmin
Retrieve all the accounts, paginated.
GET /accounts/{id}Admin
Retrieve a specific account.
GET /accounts/{sip}/searchAdmin
Search for a specific account by sip address.
GET /accounts/{email}/search-by-emailAdmin
Search for a specific account by email.
DELETE /accounts/{id}Admin
Delete a specific account and its related information.
POST /accounts/{id}/activateAdmin
Activate an account.
POST /accounts/{id}/deactivateAdmin
Deactivate an account.
POST /accounts/{id}/blockAdmin
Block an account.
POST /accounts/{id}/unblockAdmin
Unblock an account.
GET /accounts/{id}/provisionAdmin
Provision an account by generating a fresh provisioning_token.
POST /accounts/me/email/requestUser
Request to change the account email. An email will be sent to the new email address to confirm the operation.
Will return 403 if the account doesn't have a validated Account Creation Token attached to it.
JSON parameters:
email the new email address, must be unique if ACCOUNT_EMAIL_UNIQUE is set to true
POST /accounts/me/emailUser
Confirm the code received and change the email. Activate the account.
JSON parameters:
code the code received by emailReturn the updated account.
POST /accounts/me/phone/requestUser
Request a specific code by SMS to change the phone number.
Will return 403 if the account doesn't have a validated Account Creation Token attached to it.
JSON parameters:
phone the phone number to send the SMSPOST /accounts/me/phoneUser
Confirm the code received and change the phone number. Activate the account.
JSON parameters:
code the received SMS codeReturn the updated account.
GET /accounts/{id/me}/devicesAdmin User
Return the user registered devices.
DELETE /accounts/{id/me}/devices/{uuid}Admin User
Remove one of the user registered devices.
GET /accounts/me/contactsUser
Return the user contacts.
GET /accounts/me/contacts/{sip}User
Return a user contact.
POST /accounts/{id/me}/vcards-storageAdmin User
Store a vCard.
JSON parameters:
vcard, mandatory, a valid vCard having a mandatory UID parameter that is uniquelly identifying it. This UID parameter will then be used to manipulate the vcard through the following endpoints as uuid.PUT /accounts/{id/me}/vcards-storage/{uuid}Admin User
Update a vCard.
JSON parameters:
vcard, mandatory, a valid vCard having a mandatory UID parameter that is uniquelly identifying it and is the same as the uuid parameter.GET /accounts/{id/me}/vcards-storageAdmin User
Return the list of stored vCards
GET /accounts/{id/me}/vcards-storage/{uuid}Admin User
Return a stored vCard
DELETE /accounts/{id/me}/vcards-storage/{uuid}Admin User
Delete a stored vCard
GET /accounts/{id}/contactsAdmin
Get all the account contacts.
POST /accounts/{id}/contacts/{contact_id}Admin
Add a contact to the list.
DELETE /accounts/{id}/contacts/{contact_id}Admin
Remove a contact from the list.
GET /accounts/{id}/dictionaryAdmin
Get all the account dictionary entries.
POST /accounts/{id}/dictionary/{key}Admin
Add or update a new entry to the dictionary
JSON parameters:
value required, the entry valueDELETE /accounts/{id}/dictionary/{key}Admin
Remove an entry from the dictionary.
The following endpoints will return 403 Forbidden if the requested account doesn't have a DTMF protocol configured.
GET /accounts/{id}/actionsAdmin
Show an account related actions.
GET /accounts/{id}/actions/{action_id}Admin
Show an account related action.
POST /accounts/{id}/actions/Admin
Create an account action.
JSON parameters:
key required, alpha numeric with dashes, lowercasecode required, alpha numeric, lowercasePUT /accounts/{id}/actions/{action_id}Admin
Create an account action.
JSON parameters:
key required, alpha numeric with dashes, lowercasecode required, alpha numeric, lowercaseDELETE /accounts/{id}/actions/{action_id}Admin
Delete an account related action.
GET /contacts_listsAdmin
Show all the contacts lists.
GET /contacts_lists/{id}Admin
Show a contacts list.
POST /contacts_listsAdmin
Create a contacts list.
JSON parameters:
title required
description required
PUT /contacts_lists/{id}Admin
Update a contacts list.
JSON parameters:
title required
description required
DELETE /contacts_lists/{id}Admin
Delete a contacts list.
POST /contacts_lists/{contacts_list_id}/contacts/{contact_id}Admin
Add a contact to the contacts list.
DELETE /contacts_lists/{contacts_list_id}/contacts/{contact_id}Admin
Remove a contact from the contacts list.
POST /accounts/{id}/contacts_lists/{contacts_list_id}Admin
Add a contacts list to the account.
DELETE /accounts/{id}/contacts_lists/{contacts_list_id}Admin
Remove a contacts list from the account.
GET /account_typesAdmin
Show all the account types.
GET /account_types/{id}Admin
Show an account type.
POST /account_typesAdmin
Create an account type.
JSON parameters:
key required, alpha numeric with dashes, lowercasePUT /account_types/{id}Admin
Update an account type.
JSON parameters:
key required, alpha numeric with dashes, lowercaseDELETE /account_types/{id}Admin
Delete an account type.
POST /accounts/{id}/types/{type_id}Admin
Add a type to the account.
DELETE /accounts/{id}/contacts/{type_id}Admin
Remove a type from the account.
POST /messagesAdmin
Send a message over SIP.
JSON parameters:
to required, SIP address of the receiverbody required, content of the messageThe phone numbers managed by FlexiAPI are validated against a list of countries that can be managed in the admin web panels.
GET /phones_countriesPublic
Return the list of Phone Countries and their current status.
If a country is deactivated all the new submitted phones submitted on the platform will be blocked.
FlexiAPI can record logs generated by the FlexiSIP server and compile them into statistics.
POST /statistics/messagesAdmin
Announce the creation of a message.
JSON parameters:
id required, stringfrom required, string the sender of the messagesent_at required, string, format ISO8601, when the message was actually sentencrypted required, booleanconference_id stringPATCH /statistics/messages/{message_id}/to/{to}/devices/{device_id}Admin
Complete a message status.
JSON parameters:
last_status required, an integer containing the last status codereceived_at required, format ISO8601, when the message was receivedPOST /statistics/callsAdmin
Announce the beginning of a call.
JSON parameters:
id required, stringfrom required, string the initier of the callto required, string the destination of the callinitiated_at required, string, format ISO8601, when the call was startedended_at string, format ISO8601, when the call finishedconference_id stringPATCH /statistics/calls/{call_id}/devices/{device_id}Admin
Complete a call status.
JSON parameters:
rang_at format ISO8601, when the device ranginvite_terminated
at format ISO8601, when the invitation endedstate the termination statePATCH /statistics/calls/{call_id}Admin
Update a call when ending.
JSON parameters:
ended_at required, string, format ISO8601, when the call finishedThe following URLs are not API endpoints they are not returning JSON content and they are not located under /api but directly under the root path.
GET /contacts/vcardUser
Return the authenticated user contacts list, in vCard 4.0 format.
Here is the format of the vCard list returned by the endpoint:
BEGIN:VCARD
VERSION:4.0
KIND:individual
IMPP:sip:schoen.tatyana@sip.linphone.org
FN:schoen.tatyana@sip.linphone.org
X-LINPHONE-ACCOUNT-DTMF-PROTOCOL:sipinfo
X-LINPHONE-ACCOUNT-TYPE:phone
X-LINPHONE-ACCOUNT-ACTION:action_key;123
END:VCARD
BEGIN:VCARD
VERSION:4.0
KIND:individual
IMPP:sip:dhand@sip.linphone.org
FN:dhand@sip.linphone.org
X-LINPHONE-ACCOUNT-DTMF-PROTOCOL:sipinfo
END:VCARD
GET /contacts/vcard/{sip}User
Return a specific user authenticated contact, in vCard 4.0 format.
GET /vcards-storageUser
Return the list of stored vCards
GET /vcards-storage/{uuid}User
Return a stored vCard