Web Services Access

You may configure Web Services / REST API permissions in Configuration ‣ Management ‣ Web Services Access.

Web services access may have two different meanings:

  • Who may access REST APIs of various XiVO daemons, and which resources in those REST APIs?

  • Who may access PHP web services under https://xivo.example.com/xivo/configuration/json.php/*?

REST API access and permissions

Those REST API interfaces are documented on http://<youxivo>.api. They all require an authorization token, obtained by giving valid credentials to the REST API of xivo-auth. The relevant settings are:

  • Login/Password: the xivo-auth credentials (for the xivo-auth backend xivo_service)

  • ACL: The list of authorized REST API resources. See REST API Permissions.

Unlike PHP web services, there is no host-based authorization, so the Host setting is not relevant.

A few REST API access are automatically generated during the installation of XiVO, so that XiVO services may authenticate each other.

You will probably only need to create such a REST API access when you want another non-XiVO service to communicate with XiVO via REST API.

PHP web services



Those web services are deprecated. There is no documentation about their usage, and the goal is to remove them.

They are still protected with HTTP authentication, requiring a login and password. The relevant settings are:

  • Login/Password: the HTTP authentication credentials

  • Host: the authorized hosts that are allowed to make HTTP requests:

    • Empty value: HTTP authentication

    • Non-empty value: no HTTP authentication, all requests coming from this host will be accepted. Valid hosts may be: a hostname, an IP address, a CIDR block.

There is no fine-grained permissions: either the user has access to every PHP web services, or none.




There is also a special case for authentication with xivo-confd. See XiVO REST API for more details.