REST API

API Reference

The NetKey REST API enables programmatic access to PSK management, user administration, and automation capabilities. Perfect for integrating with PMS systems, custom portals, and automation workflows.

Introduction

Base URL https://api.netkey.no/api/v1

Content Type application/json

API Version v1

The API follows REST conventions and returns JSON responses. All requests must include proper authentication headers.

Quick Example

curl -X GET "https://api.netkey.no/api/v1/psks" \
  -H "X-API-Key: nk_abc123..." \
  -H "Content-Type: application/json"

Authentication

NetKey supports two authentication methods: API Keys for programmatic access and JWT tokens for user sessions.

Authentication Methods

Method	Use Case	Header
API Keys	Integrations, automation, scripts	`X-API-Key: nk_...`
JWT Tokens	Web dashboard, user sessions	`Authorization: Bearer ...`

API Keys

API keys are recommended for programmatic access. They can be created by Group Admins in the Settings → API Keys section of the dashboard.

Include your API key in the X-API-Key header with every request:

X-API-Key: nk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

API Key Format

API keys follow this format:

nk_... - API key with a random alphanumeric suffix

Keep Your API Key Secure

Never expose your API key in client-side code, public repositories, or logs. Treat it like a password.

JWT Tokens

For web applications and user sessions, NetKey uses JWT access tokens with refresh token rotation. See the Web Authentication Guide for details.

Include the JWT in the Authorization header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

API Key Scopes

API keys can have limited permissions through scopes:

Scope	Permission
`psks:read`	List and view PSKs
`psks:write`	Create and update PSKs
`psks:delete`	Delete PSKs
`endpoints:read`	List and view endpoints
`endpoints:write`	Create and update endpoints
`users:read`	List and view users
`users:write`	Create and update users

Rate Limits

API requests are rate limited to ensure fair usage and system stability. Rate limits are applied per API key.

Limit Type	Default	Maximum
Requests per hour	1,000	10,000
Requests per minute	100	500

Rate Limit Headers

Responses include headers indicating your current rate limit status:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1735200000

Error Handling

The API uses standard HTTP status codes to indicate the success or failure of requests. Error responses include a JSON body with details.

HTTP Status Codes

Code	Meaning
200	Success
201	Created
400	Bad Request - Invalid parameters
401	Unauthorized - Invalid or missing API key
403	Forbidden - Insufficient permissions
404	Not Found - Resource doesn't exist
429	Too Many Requests - Rate limit exceeded
500	Server Error - Something went wrong

Error Response Format

{
  "success": false,
  "error": "PSK not found",
  "code": "PSK_NOT_FOUND",
  "details": {
    "psk_id": 123
  }
}

Login

POST /api/auth/login

Authenticate a user and receive access and refresh tokens.

Request Body

Field	Type	Required	Description
`username`	string	Yes	User's email or username
`password`	string	Yes	User's password
`remember_me`	boolean	No	Extended session (30 days vs 14 days)
`totp_code`	string	Conditional	6-digit MFA code (if MFA enabled)

Response

{
  "success": true,
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 3600,
  "user": {
    "id": 1,
    "username": "user@example.com",
    "full_name": "John Doe",
    "role": "GROUP_ADMIN",
    "group_id": 3,
    "group_name": "Acme Corp"
  }
}

// Also sets HttpOnly cookie:
Set-Cookie: refresh_token=...; HttpOnly; Secure; SameSite=Lax; Path=/api/auth

MFA Required Response

If MFA is enabled but no TOTP code provided:

{
  "requires_mfa": true,
  "mfa_type": "totp"
}

Refresh Token

POST /api/auth/refresh

Get a new access token using the refresh token cookie. No request body needed.

Cookie Required

This endpoint requires the refresh_token cookie to be sent with the request. Use credentials: 'include' in fetch.

Response

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 3600
}

// Rotates the refresh token:
Set-Cookie: refresh_token=new_token...; HttpOnly; Secure; SameSite=Lax; Path=/api/auth

Token Rotation

For security, each refresh request invalidates the old refresh token and issues a new one.

Logout

POST /api/auth/logout

Invalidate the current session and revoke the refresh token.

Headers

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Response

{
  "success": true
}

// Clears the refresh token cookie:
Set-Cookie: refresh_token=; Expires=Thu, 01 Jan 1970; Path=/api/auth

Get Current User

GET /api/auth/me

Get the current authenticated user's profile information.

Headers

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Response

{
  "id": 1,
  "username": "user@example.com",
  "full_name": "John Doe",
  "role": "GROUP_ADMIN",
  "group_id": 3,
  "group_name": "Acme Corp",
  "email_verified": true,
  "mfa_enabled": true,
  "last_login": "2026-01-07T10:30:00Z",
  "created_at": "2025-06-15T08:00:00Z"
}

List PSKs

GET /api/v1/psks

Retrieve a list of all PSKs in your group.

Headers

Header	Required	Description
`X-API-Key`	Yes	Your API key with `psks:read` scope

Example Request

curl -X GET "https://api.netkey.no/api/v1/psks" \
  -H "X-API-Key: nk_abc123..."

Example Response

{
  "psks": [
    {
      "id": 1,
      "psk_id": "guest-a1b2c3d4",
      "description": "Guest - John Smith",
      "vlan_id": 100,
      "enabled": true,
      "expires": "2025-12-31T23:59:59",
      "created_at": "2025-01-15T10:30:00"
    }
  ],
  "total": 1
}

Get PSK

GET /api/v1/psks/{id}

Retrieve a specific PSK by ID, including the PSK value.

Path Parameters

Parameter	Type	Description
`id`	integer	PSK ID

Example Request

curl -X GET "https://api.netkey.no/api/v1/psks/1" \
  -H "X-API-Key: nk_abc123..."

Example Response

{
  "id": 1,
  "psk_id": "guest-a1b2c3d4",
  "psk_value": "SecureGuest123",
  "description": "Guest - John Smith",
  "vlan_id": 100,
  "enabled": true,
  "expires": "2025-12-31T23:59:59",
  "created_at": "2025-01-15T10:30:00"
}

Create PSK

POST /api/v1/psks

Create a new PSK. Useful for guest access, hospitality integrations, etc.

Request Body

Field	Type	Required	Description
`psk_id`	string	No	Unique identifier for the PSK. Auto-generated if omitted.
`psk_value`	string	No	PSK passphrase (min 8 chars). Auto-generated if omitted.
`description`	string	No	Description for the PSK
`vlan_id`	integer	No	VLAN ID to assign
`expires`	string	No	Expiration date (ISO 8601 format)
`expires_in_hours`	integer	No	Hours until expiration (alternative to expires)

Example Request

curl -X POST "https://api.netkey.no/api/v1/psks" \
  -H "X-API-Key: nk_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "psk_id": "guest-jane-doe",
    "description": "Guest - Jane Doe",
    "vlan_id": 100,
    "expires_in_hours": 24
  }'

Example Response

{
  "id": 42,
  "psk_id": "guest-jane-doe",
  "psk_value": "Abc123XyzDef",
  "description": "Guest - Jane Doe",
  "vlan_id": 100,
  "expires": "2025-01-21T15:00:00",
  "enabled": true
}

Update PSK

PUT /api/v1/psks/{id}

Update an existing PSK.

Request Body

All fields are optional. Only include fields you want to update.

Field	Type	Description
`psk_id`	string	Update the PSK identifier
`psk_value`	string	Update the passphrase
`description`	string	Update the description
`vlan_id`	integer	Update VLAN assignment
`expires`	string	Update expiration (ISO 8601)
`enabled`	boolean	Enable/disable PSK

Example Request

curl -X PUT "https://api.netkey.no/api/v1/psks/42" \
  -H "X-API-Key: nk_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "description": "Updated guest",
    "vlan_id": 200
  }'

Delete PSK

DELETE /api/v1/psks/{id}

Delete a PSK. This action cannot be undone.

Example Request

curl -X DELETE "https://api.netkey.no/api/v1/psks/42" \
  -H "X-API-Key: nk_abc123..."

Example Response

{
  "success": true,
  "deleted_id": 42
}

List Endpoints

GET /api/v1/endpoints

Coming Soon

Endpoint management via API is planned for a future release. Use the web dashboard to manage endpoints.

List all endpoints (devices) for iPSK authentication.

Create Endpoint

POST /api/v1/endpoints

Coming Soon

Endpoint creation via API is planned for a future release.

Add a new device endpoint for iPSK authentication.

Delete Endpoint

DELETE /api/v1/endpoints/{id}

Coming Soon

Endpoint deletion via API is planned for a future release.

Remove a device endpoint.

List Users

GET /api/v1/users

Coming Soon

User management via API is planned for a future release. Use the web dashboard to manage users.

Retrieve all users in your group.

Create User

POST /api/v1/users

Coming Soon

User creation via API is planned for a future release.

Create a new user in your group.

Request Body

Request Body (Coming Soon)

Field	Type	Required	Description
`username`	string	Yes	Unique username
`email`	string	Yes	Email address
`password`	string	Yes	Password (min 8 chars)
`full_name`	string	No	Full name
`role`	string	No	USER or GROUP_ADMIN (default: USER)