Service Authentication

XiVO services expose more and more resources through REST API, but they also ensure that the access is restricted to the authorized programs. For this, we use an authentication daemon who delivers authorizations via tokens.

Call flow

Here is the call flow to access a REST resource of a XiVO service:

  1. Create a username/password (also called service_id/service_key) with the right ACLs, via Web Services Access.

  2. Create a token with these credentials and the backend xivo-service.

  3. Use this token to access the REST resource defined by the ACL.


Call flow of service authentication


Service who needs to access a REST resource.


Server that exposes a REST resource. This resource must have an attached ACL.


Server that authenticates the Service and validates the required ACL with the token.

XiVO services directly use this system to communicate with each other, as you can see in their Web Services Access.