Overview of the REST API
The REST API uses a resource to perform HTTP operations. A resource is an object with a type, associated data, relationships to other resources, and a set of methods that operate on it. Actions can be performed on the following resources:
- An entry on a form
- A field on a form
- A menu on a form
Example API call
The following example shows how a client creates a POST call and passes the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type:
POST /api/jwt/login HTTP/1.1
host: www.example.com
username=SomeUser&password=mysecret&authString=authenticationstringBMC Helix ITSM performs the normal authentication mechanisms to validate the credentials. If the credentials are valid, the AR Server generates a JSON Web Token (JWT). You can attempt a REST API call if you have a token. A single JWT token is valid for an hour. You can use a single token across multiple AR System servers that are in the same server group.
// comments not actually included, added for clarity
{
// the username
"sub" : "SomeUser",
// the Server-Connect-Name of the AR Server who issued the token
"iss" : "www.example.com",
// the UNIX time when the token was issued
"iat" : 1408774310,
// 2 minutes before "iat", to account for clock skew between servers
"nbf" : 1408777790,
// the UNIX time when the token expires, the duration being a configurable value (probably between 1 minute and 12 hours)
"exp" : 1408777910,
// a custom claim, the cache ID
"_cacheId" : 13
}Important
If the user provides a blank password, BMC Helix ITSM does not attempt to cross-reference the password.
The JWT is signed and base64 encoded string, and is sent back as a response body to the HTTP request:
HTTP/1.1 200 OK
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXkThe client receives the token and uses it in all subsequent REST API calls through the Authorization header using the AR-JWT schema:
GET /api/arsys/v1/entry/SomeForm HTTP/1.1
Authorization: AR-JWT eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXkSupported resources
The following table lists comment resources for REST operations.
| Resource | Endpoints | Actions |
|---|---|---|
An entry on a form | /entry/{formName} | Create or search all entries on the form. |
| /entry/{formName}/{entryId} | Get, modify, and delete that particular entry. | |
| A field on a form | /fields/{formName}/{fieldId} | Fetch field metadata. |
| A menu on a form | /menu/{MenuName}?menu_criteria=criteria1,criteria2... | Fetch menu metadata. |
| /menu/expand | Fetch menu details. |
Supported operations
The following table displayed common parameters for REST operations:
For more information about these operations, see the same table in
Overview of the REST API
in the AR System documentation.
HTTP status codes
When responding to requests, the REST API uses some of the HTTP status codes. The following table gives a summary of the status codes that are returned. Each operation specifies the response code you receive on successful calls or errors.
| Code | Name | Usage |
|---|---|---|
| 200 | OK | This code is the default response for a successful API call. If the documentation does not specify an HTTP status code that is returned on a successful call, it is assumed to be 200. |
| 201 | Created | This code is used when you create new resources. REST includes the Location header in the response body, which denotes where the new resource is found. |
| 204 | No Content | This code is similar to 200, but with no response body. This code is commonly used for DELETE operations. |
For a list of error codes, see
Error handling for the REST API
in the AR System documentation.
Comments
Log in or register to comment.