Introduction

The SIM For Things System provides a RESTful API. Communication with the API is done over HTTP(S) requests with JSON request body with application/json content-type and an authentication token as a requirement for every API call.

The API is defined in detail in the following section, but here are some highlights:

  • Lookup values are accessed at the same level as the resource they describe. For example, the URL to retrieve the list of possible statuses of an endpoint is /api/v1/endpoint/status.
  • Collection responses are NOT wrapped in an envelope. Instead the result metadata is returned in the header of the response.
  • Paging, filtering sorting of large datasets are managed via query parameters of GET requests.
  • The API provides complex error messages capable of reporting a set of errors.
  • The API implicitly provides multi-tenancy management. The server limits the visibility of the data and available operations based on the organisation of the user identified by authentication token.
  • When associating an existing object(s) to a collection, it is sufficient to provide only the object(s) IDs.

The following service pattern is provided for all major resources:

Action URL Description
GET /api/v1/resource retrieve resource collection
POST /api/v1/resource create resource
GET /api/v1/resource/{id} retrieve single resource
PATCH /api/v1/resource/{id} update single resource
DELETE /api/v1/resource/{id} delete single resource
PUT /api/v1/resource/{id1}/collection/{id2} add item with id id2 to a collection of a resource with id id1.

N.B. The word endpoint, typically used in RESTful API definitions has a particular meaning in the BICS application domain. To avoid confusion, the word endpoint will be used in this documentation to identify endpoint entities (resources) of the SIM For Things System domain while the word entrypoint will be used to identify generic RESTful API endpoints.

Securing the API

The API is secured through usage of JSON Web Tokens (JWT) which are an open standard (RFC 7519) for representing claims securely between two parties.

The server generates JWT tokens for accessing the API (further referenced as ‘authentication token’) for users or applications after they present verifiable credentials. Once the credentials are exchanged for an authentication token on the server, the client has to submit it within the HTTP Authorisation header in each subsequent request. The system validates the rights and permissions of the requesting user/application by parsing the token’s content.

The authentication token expires after 240 minutes. Therefore the authentication needs to be performed again to obtain a new authentication token.

If the authentication token is missing, invalid or expired the API returns 401 Unauthorized response status.

If a client tries to access resources that exists, but the client does not have the permissions or the rights to access it, the API returns either 403 Forbidden or 404 Not Found.

These requirements are general and will not be repeated in in the remainder of this API specification.

Connection

All API calls including the authentication must be made over secure socket (SSL).

The server responds to API request in gzip compressed format with the following header

Content-Encoding: gzip
Content-Type: application/json

Rate Limiting

The SIM For Things System REST API has rate limiting enforced at the following values:

  • 2000 requests per IP in a five minute window

When this threshold is reached, 403 Forbidden will be returned by the system as a response to excessive requests until the average request rate is within the specified limit.

URL format

All API URLs are following a generic structure like

/api/APIVERSION/ENTRYPOINT/{object_id}

e.g.

/api/v1/user/123

Also some resources may provide access to further sub-resources

/api/v1/organisation/123/contact

HTTP verbs

Here is the definition of HTTP verbs used in the API with description and typical responses upon request to collection entrypoint and single resource entrypoint.

VERB Description Collection Response
i.e. /sim
Item Response
i.e. /sim/{id}
GET retrieves a representation of a resource without side-effects (nothing changes on the server) 200 (OK), list of SIMs. Use pagination, sorting and filtering to navigate big lists. 200 (OK), single SIM. 404 (Not Found), if ID not found or invalid.
HEAD retrieves just the resource meta-information (headers) e.g. same as GET but without the response body - also without side-effects TBD  
OPTIONS returns the actions supported for specified the resource - also without side-effects TBD  
POST creates a resource 201 (Created), ‘Location’ header with link to /sim/{id} containing new ID. 404 (Not Found).
PUT (completely) replaces an existing resource 404 (Not Found) 200 (OK) or 204 (No Content). 404 (Not Found), if ID not found or invalid.
PATCH partial modification of a resource 404 (Not Found) 200 (OK) or 204 (No Content). 404 (Not Found), if ID not found or invalid.
DELETE deletes a resource 404 (Not Found) 200 (OK). 404 (Not Found), if ID not found or invalid.

HTTP Headers

Request Headers

Each HTTP request must have at least the following headers:

  • Content-Type: application/json
  • Accept: application/json
  • Authorization: Bearer YourAuthenticationToken

Response Headers

The API uses header to transfer meta information about the returned result. The usage varies depending on the operation. The details are available within the specification of particular resource description:

Header Description Examples
Location [POST] - URL of the created resource Location: /api/v1/endpoint/123
Link [GET] Collection - URL of available pages Link:
https://simforthings.bics.com/api/v1/endpoint?per_page=100;rel="first",
https://simforthings.bics.com/api/v1/endpoint?page=5&per_page=100;rel="prev",
https://simforthings.bics.com/api/v1/endpoint?page=7&per_page=100;rel="next",
https://simforthings.bics.com/api/v1/endpoint?page=34&per_page=100;rel="last"
X-Total-Count [GET] Collection - Total item count X-Total-Count: 3325
X-Current-Page [GET] Collection - Current page X-Current-Page: 6
X-Filter [GET] Collection - Filter applied criteria X-Filter: status:1
X-Sort [GET] Collection - Applied sort criteria X-Sort: -status

HTTP Return codes

CODE Meaning Description
200 OK Response to a successful GET, also used for a POST if it does not result in a creation
201 Created Response to a POST that results in a creation, usually will return a Location header pointing to the location of the new resource
204 No Content Response to a successful request that is not returning a body
400 Bad Request The request is malformed, e.g. the body cannot be parsed
401 Unauthorized No or invalid authentication token provided
403 Forbidden authentication token is valid, but user has no access permissions to the request resource
404 Not Found A non-existent resource is requested
405 Method Not Allowed HTTP method being requested is not allowed
409 Conflict The request could not be completed due to a conflict with the current state of the resource.
410 Gone Indicates that the resource at this end point is no longer available.
415 Unsupported Media Type Incorrect content type was provided as part of the request
422 Unprocessable Entity Body will return list of validation errors
429 Too Many Requests Request is rejected due to rate limiting