Introduction
Welcome to the documentation and reference page of the EVVA AirKey Cloud API.
Our REST API provides the customer with powerful control of his AirKey infrastructure
from any third-party application.
Features
These features can be controlled via API:
- Manage persons
- Manage smartphones and other access media like cards, key tags, etc.
- Assign smartphones or other access media to persons
-
Authorize smartphones or other access media to access
locks (locking components) or areas at given times
- Access protocols
- Additional administration for blacklists, credits, holiday calendars, and maintenance tasks
Some components of AirKey cannot be controlled through the API, as they have no internet connection.
This concerns mostly parts which are set up only once:
- Registering new locks and their assignment to areas
- Adding new RFID access media like cards and key tags
- Administrative settings as buying credits or requesting API keys
API Activation
You need to generate a secret API key to access the API.
The key is sent through a HTTP header (X-API-Key) every time you access the API.
Beside the production API, we provide a test environment for development
purposes. Here you can try out all API features in a safe sandbox-like environment.
To activate the API open the AirKey Online Administration at
https://airkey.evva.com
in your web browser. Go through the "AirKey registration" process if you haven't registered yet.
Then log in and choose "Settings".
Test API
The test environment is free of charge. A predefined set
of test data can be loaded and reset to the intial state anytime.
Please note that it is not possible to access the test environment's
data in the AirKey Online Administration.
Furthermore no real SMS text messages will be sent in the test environment.
To activate the test API go to "Settings" →
"AirKey Cloud Interface (API) – test environment"
and select "Generate the API key".
Immediately write down the API key, as it is displayed only once for security reasons.
You can reset the provided test data to the predefined data set anytime
by clicking on "Reset test data" or by sending the
"/v1/public-mgmt/reset-test-data" request via the API.
Production API
To activate the actual production API click the "Activate API" button (350 credits needed).
After the activation you can generate your secret API key. The key is
displayed only once. Use this key instead of the test API key to switch from
testing to production operation.
Attention, you are now working with real production data!
In case of problems, please try to reproduce them in the test environment before contacting support.
Connecting to the API
There are several ways in which you can access the EVVA AirKey Cloud API:
Manually
The easiest way to perform requests is by using the built in "Try it out"
feature of the Swagger Documentation below. First click on "Authorize" and enter your API key.
Then you can use the "Try it out" button next to each request.
Another convenient option is to use a tool like Postman.
From your application
To access AirKey directly from your application you have two main options:
You can simply send direct request with tools like "curl" and handle the
requests yourself, or you can use generated classes for your programming
language via the Swagger Generator.
Here is a short run-down of how to use Swagger Generator:
Please note that EVVA cannot provide any implementation support for the API.
Contact your software development, agency or vendor for support.
How to use the API
In the following we provide some general information about the usage of the API:
Swagger Documentation
Below you can find the extensive Swagger Documentation for all request types and models (objects).
Information about the request URLs, query parameters, request body configuration,
examples of body and response, as well as valid response codes are provided there.
For body and response you can click on the "Model" link to get information about the
fields. Provided are details about data type, required (marked by a red asterix) and read only.
Note that you can expand child models by clicking on them.
Example: GET /v1/persons → Responses → Model
→ personList (click on the right angle bracket) → Person
→ correspondenceLanguageCode (click on the right angle bracket)
Authorization header "X-API-Key"
For each request a valid API key must be sent in the HTTP header (name "X-API-Key").
To generate a new API key, see section "API Activation".
Data format JSON
JSON notation is used throughout the API:
- Responses are returned as JSON.
- PUT and POST request bodies expect JSON.
- DELETE requests take a JSON array of object IDs.
URL encoding
Make sure to properly apply URL encoding for query parameters according to RFC 3986.
Paging
Most GET requests use paging. Per default 20 entries are returned.
You can retrieve up to 100 entries by giving the "limit" query parameter.
Example: /persons?limit=100
Subsequent pages are loaded via the "offset" query parameter
(number of entries to be skipped at the beginning of the delivered list).
Example to load max. 10 entries beginning with 3rd entry (skip first 2 entries): /persons?limit=10&offset=2
Workflow of updating objects and versioning
If you want to update an existing object you should retrieve it first via GET request,
modify the values as you wish, and then perform a PUT request.
The reason for that is that many PUT requests require to add the current version of the object.
This is important to avoid concurrent modifications and overrides.
Please note that you have to give all required fields, even if they are read only.
Language and country codes
Currently supported:
-
11 language codes (ISO 639-1 compliant and case sensitive):
cs-CZ, de-DE, en-UK, es-ES, fr-FR, it-IT, nl-NL, pl-PL, pt-PT, sk-SK, sv-SE
-
250 country codes (ISO 3166-1 alpha-3 compliant and case sensitive):
ABW, AFG, AGO, AIA, ALA, ALB, AND, ANT, ARE, ARG,
ARM, ASM, ATA, ATF, ATG, AUS, AUT, AZE, BDI, BEL,
BEN, BES, BFA, BGD, BGR, BHR, BHS, BIH, BLM, BLR,
BLZ, BMU, BOL, BRA, BRB, BRN, BTN, BVT, BWA, CAF,
CAN, CCK, CHE, CHL, CHN, CIV, CMR, COD, COG, COK,
COL, COM, CPV, CRI, CUB, CUW, CXR, CYM, CYP, CZE,
DEU, DJI, DMA, DNK, DOM, DZA, ECU, EGY, ERI, ESH,
ESP, EST, ETH, FIN, FJI, FLK, FRA, FRO, FSM, GAB,
GBR, GEO, GGY, GHA, GIB, GIN, GLP, GMB, GNB, GNQ,
GRC, GRD, GRL, GTM, GUF, GUM, GUY, HKG, HMD, HND,
HRV, HTI, HUN, IDN, IMN, IND, IOT, IRL, IRN, IRQ,
ISL, ISR, ITA, JAM, JEY, JOR, JPN, KAZ, KEN, KGZ,
KHM, KIR, KNA, KOR, KWT, LAO, LBN, LBR, LBY, LCA,
LIE, LKA, LSO, LTU, LUX, LVA, MAC, MAF, MAR, MCO,
MDA, MDG, MDV, MEX, MHL, MKD, MLI, MLT, MMR, MNE,
MNG, MNP, MOZ, MRT, MSR, MTQ, MUS, MWI, MYS, MYT,
NAM, NCL, NER, NFK, NGA, NIC, NIU, NLD, NOR, NPL,
NRU, NZL, OMN, PAK, PAN, PCN, PER, PHL, PLW, PNG,
POL, PRI, PRK, PRT, PRY, PSE, PYF, QAT, REU, ROU,
RUS, RWA, SAU, SCG, SDN, SEN, SGP, SGS, SHN, SJM,
SLB, SLE, SLV, SMR, SOM, SPM, SRB, STP, SUR, SVK,
SVN, SWE, SWZ, SXM, SYC, SYR, TCA, TCD, TGO, THA,
TJK, TKL, TKM, TLS, TON, TTO, TUN, TUR, TUV, TWN,
TZA, UGA, UKR, UMI, URY, USA, UZB, VAT, VCT, VEN,
VGB, VIR, VNM, VUT, WLF, WSM, YEM, ZAF, ZMB, ZWE
Dates and times
Timestamps are generally provided in
ISO 8601
date and time format, with time in UTC and millisecond precision. The UTC timezone is defined by the
letter "Z" (for zero meridian) in the last position. Seconds and milliseconds are optionally.
Example: 2019-05-09T09:25:36.608Z
Date fields which hold only the date without time follow a naming convention with "Date" suffix.
Example: "validFrom" (date + time) vs. "validFromDate" (only date)
Dates and times for authorizations
Attention: Timestamps for authorizations are given without timezone (without letter "Z" in the last position),
because locks work in the local timezone and need times relative to their time zone.
For example you want to provide access to a door at 4:00 p.m. in the time zone
of the lock, and not at 4:00 p.m. UTC.
Example: 2019-05-09T09:30 /* without letter "Z" in the last position */
Furthermore authorization timestamps take only certain minute values and no seconds or milliseconds.
Valid minute values for authorization: 00, 05, 10, 15, 20, 30, 40, 45, 50, 55
ID vs. Identifier
The API uses the following naming convention regarding IDs:
-
...Id is the native database ID (e.g. lockId=140023087)
Most of the time you will use these native database IDs when working with the API.
-
...Identifier is the component identifier
used in the AirKey Online Administration for
access media and locks (e.g. lockIdentifier=000000000858E6D0)
HTML code formatting for protocol entries
The translation fields for protocol responses contain various CSS class definitions.
The necessary files for human friendly representation for these fields are:
Workflow Example: Authorization
In this section we give you a short introduction of a common authorization life cycle.
You can also try out and inspect these requests in our
API Demo App.
Create authorization for smartphone
The simplest way to create an authorization for a smartphone is to use the convenient
"/send-a-key" request. This is a single simplified interface for multiple requests
in the background: create a person, create a "phone" medium, assign the medium to the person and create
an authorization for the phone to the given lock (or area) and time.
Update
To update data from the previous "/send-a-key" request you need to perform
separate update requests for the involved data models:
-
To modify personal data (firstName, ...) you need to "GET" the person via "/v1/persons/{personId}"
and then "PUT" the modified JSON object.
-
To modify data of the medium (mobileNumber, ...) you need to "GET" the medium via "/v1/media/{mediaId}"
and then "PUT" the modified JSON object.
-
Authorizations are very powerful in AirKey and thus a bit more complex.
If you simply want to replace all existing authorizations created by "send-a-key" you can do the following:
POST /v1/authorizations/simple
{
"authorizationInfo": {
"type": "SIMPLE",
"validFrom": "2019-05-15T09:50",
"validTo": "2019-06-21T09:00"
},
"mediumId": 253,
"lockId": 140023087,
"removeAllExistingAuthorizationsForPair": true
}
Explanation: We logically create an authorization of type "SIMPLE" which takes only "validFrom" and "validTo"
timestamps, and the IDs of medium and lock. Afterwards it is checked against all existing authorizations.
Additionally we give the option "removeAllExistingAuthorizationsForPair" in case of a necessary authorization
change, applying on the current medium–lock pair. Meaning:
-
If "removeAllExistingAuthorizationsForPair" is set to "true" the logically created authorization
will replace all existing authorizations.
-
If "removeAllExistingAuthorizationsForPair" is set to "false" (= default value) the logically created
authorization will be appended to the existing authorizations, if technically possible.
Overlapping intervals are not allowed; exception: the new time interval covers exactely
an existing time interval. For one day you can create only one time interval with the
SIMPLE authorization (e.g. only 09:00-10:00, but not 09:00-10:00 and 14:00-16:00).
This request is also possible for an area. Use in this case "areaId" instead of "lockId".
Delete
If you want to delete all data created by a "/send-a-key" request you have
to perform the following steps in the correct order:
Additional Information
A lot of additional information can be found in the
AirKey System Manual.
Please contact your EVVA partner for AirKey support inqueries.
Changelog
v18.0.0
-
Added request "GET /v1/acos" which returns a list of all access control operators (administrators) defined in the access
control system.
-
Added request "GET /v1/acos/support" which returns a list of all support logins defined in the access control system.
-
Added request "GET /v1/credits-protocol" which returns the protocol of credits actions.
-
"GET /v1/lock-protocol" is deprecated. It has been replaced by "GET /v1/lock-protocol-limit".
-
Added request "GET /v1/lock-protocol-limit" which returns a list of protocol entries of all locks in the access control
system.
-
"POST /v1/media/phones/{phoneId}/send-registration-code" is deprecated. It has been replaced by "POST
/v1/media/phones/{phoneId}/send-registration-code/sms".
-
"POST /v1/media/phones/{phoneId}/send-registration-code-with-parameters" is deprecated. It has been replaced by "POST
/v1/media/phones/{phoneId}/send-registration-code/sms".
-
Added request "POST /v1/media/phones/{phoneId}/send-registration-code/mail" which sends a pairing code via email while
the email subject and text to be sent can be configured.
-
Added request "POST /v1/media/phones/{phoneId}/send-registration-code/sms" which sends a pairing code via SMS while the
SMS text to be sent can be configured.
-
Added request "GET /v1/pending-phone-replacements" which returns a list of all pending phone replacements sorted by
creation date ascending.
-
Added request "POST /v1/pending-phone-replacements/{replacementId}/approve" which approves pending phone replacement.
-
Added request "POST /v1/pending-phone-replacements/{replacementId}/reject" which rejects pending phone replacement.
-
"GET /v1/medium-protocol" is deprecated. It has been replaced by "GET /v1/medium-protocol-limit".
-
Added request "GET /v1/medium-protocol-limit" which returns a list of protocol entries of all media in the access
control system.
-
"POST /v1/send-a-key" is deprecated. It has been replaced by "POST /v1/send-a-key/sms".
-
Added request "POST /v1/send-a-key/mail" which sends a registration code via email and creates all necessary
prerequisites if needed.
-
Added request "POST /v1/send-a-key/sms" which sends a registration code via SMS and creates all necessary prerequisites
if needed.
-
Added request "GET /v1/settings" which returns stored settings of the customer.
-
"GET /v1/system-protocol" is deprecated. It has been replaced by "GET /v1/system-protocol-limit".
-
Added request "GET /v1/system-protocol-limit" which returns the system protocol with events performed by the
administrators of the access control system.
v17.20.0
-
Modified model LockDoor: name = door name set by owner of the lock (previously door name or alternative door name), ownerName removed,
alternativeName added (alternative door name that can be set for locks with ownerShip = EXTERNAL, never used for locks with ownerShip = OWNER)
-
Modified model SimpleLock: alternativeName added (alternative door name that can be set for locks with ownerShip = EXTERNAL, never used for locks with ownerShip = OWNER).
New field may only be returned by "GET /v1/maintenance-tasks".
-
Modified model SharedLock: renamed doorName to alternativeDoorName
-
Modified "GET /v1/maintenance-tasks": added query parameter alternativeDoorName to filter by alternative door name.
Changed query parameter doorName to only filter by door name (previously also filtered by alternative door name).
v17.10.0
-
Replaced boolean field "synchronizeAfterUnlocking" in model LockSettings with "unlockSyncMode" of type LockUnlockSyncMode.
v17.0.0
-
Added optional fields "ownership" and "removalRequested" (both read-only) to the model Lock.
-
Added optional field "ownership" (read-only) to the model LockSettings.
-
Added GET and PUT request "/v1/locks/{lockId}/settings" which allows fetching and modifying the settings of a lock.
Some settings can only be changed by the owner of the lock and some may also needs lock synchronization to take effect.
-
Added requests "GET /v1/locks/{lockId}/settings/assigned-areas", "POST /v1/locks/{lockId}/settings/assigned-areas/add" and
"POST /v1/locks/{lockId}/settings/assigned-areas/remove" for assigning / unassigning a lock to areas.
-
Added requests "GET /v1/locks/{lockId}/settings/sharing-codes", "POST /v1/locks/{lockId}/settings/sharing-codes" and
"DELETE /v1/locks/{lockId}/settings/sharing-codes/{sharingCodeId}" for adding / removing sharing codes which allow the lock
to be shared with another access control system. These requests can only be used by the owner of the lock.
-
Added requests "GET /v1/locks/{lockId}/settings/active-shares" and "POST /v1/locks/{lockId}/settings/active-shares/remove"
for seeing with whom the lock is shared and to cancel shares with another access control systems.
These requests can only be used by the owner of the lock.
-
Added request "POST /v1/locks/add-shared-lock" which allows adding a lock of another access control system.
-
Added requests "POST /v1/locks/{lockId}/remove" and "POST /v1/locks/{lockId}/abort-remove" for marking / unmarking a lock as to be
removed. The lock needs to be synchronized to complete the removal. These requests can only be used by the owner of the lock.
v16.20.2
-
Added POST request "/v1/media/phones/{phoneId}/send-registration-code-with-parameters" which allows to send a
registration code to a phone with an optional field (JSON body with field "smsText") to define the SMS text that
should be used. If the field "smsText" is not set, a default text will be used.
-
Added optional field "cardUid" to the model Card which returns the ISO/IEC 14443 UID. GET requests
/v1/media/... are going to return this field for supported media (J80K+D08K or newer) of
type Card. This field is read-only and therefore cannot be updated.
The "cardUid" can be returned only for cards produced after 13 September 2022!
-
Added required field "lockingSystemId" to the model Medium. GET requests /v1/media/... are going to return this field for media of
all types. This field is read-only and therefore cannot be updated. Furthermore, media can now be filtered by using the new
query parameter "lockingSystemId" (GET requests /v1/media, /v1/media/cards, /v1/media/phones).
-
Added required field "lockingSystemId" to the model Lock. GET requests /v1/locks/... are going to return this field for all locks.
This field is read-only and therefore cannot be updated. Furthermore, locks can now be filtered by using the new
query parameter "lockingSystemId" (GET request /v1/locks).
-
"GET /v1/maintenance-tasks" can now return the new maintenance task "RS485_OUTPUT_NOT_SYNCHRONIZED" (within model LockMaintenanceTask).
-
Added optional field "pushMessage" to the models AuthorizationChange and SimpleAuthorizationCreate. If this field is set, it will
be shown on the phone that receives a new / changed authorization. Otherwise, the default push message text is used.
v15.10.0
-
Updated documentation for constraints of "POST /v1/media/{mediumId}/deactivate"
and /v1/media/{mediumId}/reactivate (reason, comment query parameters)
v14.40.2
-
The requests "POST /v1/send-a-key" and "POST /v1/authorizations/simple"
now only use the parameter "removeAllExistingAuthorizationsForPair".
The parameter "allowModificationExistingAuthorizations" was removed.
v13.30.1
-
Fixes issue of finding phones via "GET /v1/media/phones" using the "phoneNumber"
filter if the phone number contains blank characters.
-
Improved description for authorization update using "simpleAuthorization" in documentation.
v13.20.11
-
The request "PUT /v1/locks" now also saves the comment field.
-
Improved description for "simpleAuthorization" in documentation.
-
Renamed authorization date fields (without time) to "validFromDate"
and "validToDate" for the types "ONE_DAY" and "PERIODICAL".
-
Added fields "fax" and "contactTitle" to the "GET /v1/customer" request.
-
Removed redundant requests "GET /v1/areas/protocol" and "GET /v1/locks/protocol".
These requests are now handled by the "GET /v1/lock-protocol" request
with a corresponding parameter ("areaId" respectively "lockId").
-
All requests use now the plural of "slot": "GET /v1/holidayCalendars/.../slots/", etc.