REST API Permissions

The tokens delivered by xivo-auth have a list of permissions associated (ACL), that determine which REST resources are authorized for this token. Each REST resource has an associated required ACL. When you try to access to a REST resource, this resource requests xivo-auth with your token and the required ACL to validate the access.


An ACL contains 3 parts separated by dot (.)

  • service: name of service, without prefix xivo- (e.g. xivo-confd -> confd).

  • resource: name of resource separated by dot (.) (e.g. /users/17/lines -> users.17.lines).

  • action: action performed on resource. Generally, this is the following schema:

    • get -> read

    • put -> update

    • post -> create

    • delete -> delete


There are 3 substitution values for an ACL.

  • *: replace only one word between dot.

  • #: replace one or multiple words.

  • me: replace the user_uuid from sent token.


The ACL will have access to the following REST resources:

GET /users/{user_id}/cti
GET /users/{user_id}/funckeys
GET /users/{user_id}/funckeys/{position}
GET /users/{user_id}/funckeys/templates
GET /users/{user_id}/lines
GET /users/{user_id}/lines/{line_id}
GET /users/{user_id}/voicemail
  • service: confd

  • resource:

  • action: read

The ACL*.* will have access to the following REST resources:

DELETE /users/{user_id}funckeys/{position}
GET /users/{user_id}funckeys/{position}
PUT /users/{user_id}funckeys/{position}
GET /users/{user_id}funckeys/templates
  • service: confd

  • resource:*

  • action: *

Where {user_id} is the user uuid from the token.

Available ACLs

The ACL corresponding to each resource is documented. Some resources may not have any associated ACL yet, so you must use {service}.# instead.