Wiki source code of DigDash API REST
Last modified by Aurelie Bertrand on 2026/06/19 10:37
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{ddtoc/}} | ||
| 2 | |||
| 3 | ---- | ||
| 4 | |||
| 5 | (% class="wikigeneratedid" %) | ||
| 6 | DigDash provides a REST API for interacting with a number of DigDash objects. | ||
| 7 | You can use Swagger to test it. | ||
| 8 | |||
| 9 | = Accessing Swagger UI = | ||
| 10 | |||
| 11 | Swagger UI allows you to view and interact with API resources. | ||
| 12 | This interface also provides visual documentation to make them easier to use. | ||
| 13 | |||
| 14 | To open Swagger UI, you can: | ||
| 15 | |||
| 16 | * click on the **API** link at the bottom of the homepage | ||
| 17 | * use the following link:((( | ||
| 18 | [[http:~~/~~/~[server~]:~[port~]/~[domain~]/staticwebcontent/swagger/>>url:http://[serveur]:[port]/[domain]/updateuser]] | ||
| 19 | where you replace [server], [port] and [domain] with your own details. | ||
| 20 | For example: | ||
| 21 | [[http:~~/~~/localhost:8080/ddenterpriseapi/staticwebcontent/swagger/>>http://localhost:8080//ddenterpriseapi/staticwebcontent/swagger/]] | ||
| 22 | ))) | ||
| 23 | |||
| 24 | This will take you to the interface displaying the available API resources, categorised by type. | ||
| 25 | |||
| 26 | (% class="box infomessage" %) | ||
| 27 | ((( | ||
| 28 | 💡 If the domain name has been changed, you can specify a custom ddapi domain in the **‘domain’** field. | ||
| 29 | ))) | ||
| 30 | |||
| 31 | (% class="wikigeneratedid" %) | ||
| 32 | [[image:swagger.png||alt="Interface Swagger" height="770" width="1043"]] | ||
| 33 | |||
| 34 | = Authentication{{id name="Auth"/}} = | ||
| 35 | |||
| 36 | To interact with the APIs, you must authenticate yourself. | ||
| 37 | |||
| 38 | * (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)Click the (%%)**‘Authorise’**(% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)button in the top right-hand corner of the Digdash API page. (The open padlock icon means you are not authorised.)(%%) | ||
| 39 | ➡(% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)The (%%)**‘Available**(% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)authorisations’window will appear. | ||
| 40 | |||
| 41 | Three authorisation methods are available: | ||
| 42 | |||
| 43 | * ((( | ||
| 44 | **BasicAuth: **The Basic Authentication method, which allows you to log in using your LDAP username and password. | ||
| 45 | ))) | ||
| 46 | * ((( | ||
| 47 | **BearerAuth**: The Bearer Authentication method, which uses security tokens known as bearer tokens. | ||
| 48 | ))) | ||
| 49 | * ((( | ||
| 50 | **ApiKeyAuth**: The API Key Authentication method, which allows you to authenticate using an API key. | ||
| 51 | ))) | ||
| 52 | |||
| 53 | The BasicAuth method will be used for the initial authentication. You can then generate a security token or an API key and use one of the other two methods. | ||
| 54 | |||
| 55 | (% class="box warningmessage" %) | ||
| 56 | ((( | ||
| 57 | ❗For security reasons, it is not recommended to use the**BasicAuth** method systematically. | ||
| 58 | ))) | ||
| 59 | |||
| 60 | (% class="box infomessage" %) | ||
| 61 | ((( | ||
| 62 | ℹ It is not possible to create a security token (JWT) when authenticated with a security token (JWT). | ||
| 63 | ))) | ||
| 64 | |||
| 65 | == Authenticating via BasicAuth == | ||
| 66 | |||
| 67 | 1. Enter your Digdash username and password. | ||
| 68 | 1. Click the **‘Authorise’** button, then, once authentication is complete, click **‘Close**’. | ||
| 69 | ➡ The padlock is now closed, indicating that you are authorised. | ||
| 70 | You can now create a JWT token or an API key to log in. | ||
| 71 | |||
| 72 | == Authenticating via BearerAuth == | ||
| 73 | |||
| 74 | Once logged in via BasicAuth, you can generate a security token to authenticate using the BearerAuth method. | ||
| 75 | |||
| 76 | === Creating a JWT token{{id name="JWT"/}} === | ||
| 77 | |||
| 78 | Here, we will create a JSON Web Token (JWT): | ||
| 79 | |||
| 80 | 1. Go to the **Authentication** section. | ||
| 81 | 1. Click to expand**POST ddenterpriseapi/api/v1/auth/jwt.** | ||
| 82 | 1. Before you begin, you can view an example request and, by hovering over the **Schema** tab, a description of the various elements. | ||
| 83 | 1. Click on **‘Try it out’ in **the top right-hand corner to define your request. This includes the following elements: | ||
| 84 | 1*. **targetUser**: (Optional) Specify the name of the user to impersonate. This only works if the user used to create the JWT has the **Admin > Allow impersonation** authorisation (ACL). | ||
| 85 | If left blank, the default user is the one currently logged in, which will generally be the case. | ||
| 86 | 1*. **expires**: (Optional but recommended) Specify the JWT’s validity period in the form of a time period in ISO 8601 format (e.g. PT5M for 5 minutes). For further information, see [[https:~~/~~/en.wikipedia.org/wiki/ISO_8601#Durations>>https://en.wikipedia.org/wiki/ISO_8601#Durations]].(% style="color:#d35400" %)⚠ Only the PnDTnHnMnS format is supported: (%%)you can specify days, hours, minutes and seconds, but not years, months or weeks (PnYnMnWnDTnHnMnS). | ||
| 87 | 1*. **Permissions: **Set the permissions for each API type: “none” for no permissions, “r” for read-only, “rw” for read-write. | ||
| 88 | For example: | ||
| 89 | [[image:DigDash_API_token_creation_FR.png||alt="Exemple authentification"]] | ||
| 90 | |||
| 91 | (% class="box warningmessage" %) | ||
| 92 | ((( | ||
| 93 | ❗A check will be carried out on the user’s permissions in Digdash (ACLs) in addition to the token’s permissions. | ||
| 94 | ))) | ||
| 95 | |||
| 96 | (% start="5" %) | ||
| 97 | 1. Click the**Execute **button**to **generate the token (JWT). | ||
| 98 | ➡ The response is displayed in the **Server response** section below. | ||
| 99 | [[image:DigDash_API_token_creation_response_FR.png||alt="Réponse serveur"]] | ||
| 100 | 1. Copy the JWT token.\\ | ||
| 101 | |||
| 102 | (% class="wikigeneratedid" id="HSignaturedujetondesE9curitE9" %) | ||
| 103 | **Signing the security token** | ||
| 104 | |||
| 105 | A private key used to sign the JWT is generated by default. This key is temporary and is regenerated every time the server is restarted. | ||
| 106 | |||
| 107 | To avoid this issue and improve security, it is strongly recommended that you use your own private key to sign JWT tokens using the following environment variables: | ||
| 108 | |||
| 109 | * **DD_JWT_SECRETKEY_PATH**: this variable is used to specify the path to an RSA private key. | ||
| 110 | * **DD_JWT_SECRETKEY**: this variable allows you to define a custom password. | ||
| 111 | |||
| 112 | Please note that the DD_JWT_SECRETKEY_PATH variable takes precedence over the DD_JWT_SECRETKEY variable. | ||
| 113 | |||
| 114 | The RSA private key can be generated using the following command (requires the OpenSSL tool): | ||
| 115 | |||
| 116 | {{code language="shell"}} | ||
| 117 | openssl genrsa -out /path/to/privatekey.pem 2048 | ||
| 118 | {{/code}} | ||
| 119 | |||
| 120 | The RSA public key can be generated from the private key using the following command (optional): | ||
| 121 | |||
| 122 | {{code language="shell"}} | ||
| 123 | openssl rsa -in /path/to/privatekey.pem -pubout -out /path/to/publickey.crt | ||
| 124 | {{/code}} | ||
| 125 | |||
| 126 | === Authenticating === | ||
| 127 | |||
| 128 | Once the security token has been generated, you can authenticate using this method: | ||
| 129 | |||
| 130 | 1. Click the**Authorise** button. | ||
| 131 | 1. In the**BasicAuth** section, log out by clicking the**Logout** button. | ||
| 132 | 1. In the**BearerAuth** section, paste the JWT token into the**Value** field. | ||
| 133 | 1. Click**Authorise**. | ||
| 134 | |||
| 135 | == Authenticating via ApiKeyAuth{{id name="ApiKeyAuth"/}} == | ||
| 136 | |||
| 137 | Once logged in via BasicAuth, you can generate a security token to authenticate using the BearerAuth method. | ||
| 138 | |||
| 139 | === Create an API key{{id name="API"/}} === | ||
| 140 | |||
| 141 | We’re going to create an API key here: | ||
| 142 | |||
| 143 | 1. Go to the **Authentication** section. | ||
| 144 | 1. Click to expand**POST ddenterpriseapi/api/v1/auth/apikeys** | ||
| 145 | 1. Before you begin, you can view an example request and, by hovering over the **Schema** tab, a description of the various elements. | ||
| 146 | 1. Click on **‘Try it out’ in **the top right-hand corner to define your request. This includes the following elements: | ||
| 147 | 1*. **targetUser**: (Optional) Specify the name of the user whose identity you wish to assume. This only works if the user used to create the API key has the **Admin > Allow identity borrowing** authorisation (ACL). | ||
| 148 | If left blank, the default user is the one currently logged in, which will generally be the case. | ||
| 149 | 1*. **expires**: (Optional) Specify the validity period of the API key in the form of a time period in ISO 8601 format (i.e. PT5M for 5 minutes). For further information, see [[https:~~/~~/en.wikipedia.org/wiki/ISO_8601#Durations>>https://en.wikipedia.org/wiki/ISO_8601#Durations]].(% style="color:#d35400" %)⚠ Only the PnDTnHnMnS format is supported(%%): you can specify days, hours, minutes and seconds, but not years, months or weeks (PnYnMnWnDTnHnMnS). | ||
| 150 | If the //‘expires’// element is not included in the request, the key has an infinite duration. | ||
| 151 | 1*. **permissions: **Set the permissions for each API type: “none” for no permissions, “r” for read-only, “rw” for read-write. | ||
| 152 | For example: | ||
| 153 | [[image:1745928168043-553.png]] | ||
| 154 | |||
| 155 | (% class="box warningmessage" %) | ||
| 156 | ((( | ||
| 157 | ❗A check will be carried out on the user’s permissions in Digdash (ACLs) in addition to the token’s permissions. | ||
| 158 | ))) | ||
| 159 | |||
| 160 | (% start="5" %) | ||
| 161 | 1. Click the**Execute **button**to **generate the API key. | ||
| 162 | ➡ The response is displayed in the **Server response** section below. | ||
| 163 | [[image:1745928288556-250.png||alt="Réponse serveur"]] | ||
| 164 | 1. Copy the API key. | ||
| 165 | ❗The key is only displayed once and cannot be retrieved in any other way, as it is hashed (irreversibly encrypted) when stored on the server for security reasons.((( | ||
| 166 | If a key is lost or no longer required, it must be invalidated and a new key created if necessary. | ||
| 167 | ))) | ||
| 168 | |||
| 169 | The API key is stored on the server in a CSV file named **//apikeys.csv//**, located by default in the //appdata/EnterpriseServer/ddenterpriseapi/config// directory. | ||
| 170 | However, if a custom location has been defined via the **//ddenterpriseapi.ServerSettingsPath//**in the //digdash.properties// file, this configuration takes precedence over the default path. | ||
| 171 | You can change this directory, or specify multiple directories in the case of multiple domains, in the //digdash.properties//file by adding them in the following format//: ddenterprise.api_keys_path=/path/to/csv-file. // | ||
| 172 | This property takes precedence over //ddenterpriseapi.ServerSettingsPath//. | ||
| 173 | |||
| 174 | === Authentication === | ||
| 175 | |||
| 176 | Once the API key has been generated, you can authenticate using this method: | ||
| 177 | |||
| 178 | 1. Click the **Authorise** button. | ||
| 179 | 1. In the **BasicAuth** section, log out by clicking the **Logout** button. | ||
| 180 | 1. In the **ApiKeyAuth** section, paste the API key into the Value field. | ||
| 181 | 1. Click **Authorise**. | ||
| 182 | |||
| 183 | = Available API resources{{id name="ressources"/}} = | ||
| 184 | |||
| 185 | == List of resources == | ||
| 186 | |||
| 187 | The available resources are categorised by type: | ||
| 188 | |||
| 189 | * **Authentication: **for creating security tokens (JWT) | ||
| 190 | * **User Management**: for managing users and related elements: profiles, roles, authorisation groups, role authorisation groups, user settings, etc. | ||
| 191 | * **Session Management: **for retrieving the list of sessions and terminating sessions. | ||
| 192 | * **System**: for system information, audit service and scheduler. | ||
| 193 | * **Licence Management**: for managing licences: activation, users covered by the licence, etc. | ||
| 194 | * **Event Management**: for adding events using fireEvent. | ||
| 195 | * **Connections: **for managing database connections: listing, creating, replacing and deleting. | ||
| 196 | * **Versions**: for retrieving the version of the API or Digdash. | ||
| 197 | |||
| 198 | (% class="box infomessage" %) | ||
| 199 | ((( | ||
| 200 | ℹ The closed padlock to the right of the resource indicates that you have authorisation. | ||
| 201 | ))) | ||
| 202 | |||
| 203 | == Available operations == | ||
| 204 | |||
| 205 | There are several types of operations that can be performed via the API: | ||
| 206 | |||
| 207 | * (% style="color:#3498db" %)**GET**(%%): to retrieve information. For example, the list of users or system information. | ||
| 208 | * (% style="color:#2ecc71" %)**POST**(%%): to create items. For example, a role or users within a licence. | ||
| 209 | * (% style="color:#16a085" %)**PATCH**(%%)**: **to update items (only replaces the data to be updated). For example, a user or a permissions group. | ||
| 210 | * (% style="color:#e67e22" %)**PUT**(%%)**: **to replace items (overwrites all data and replaces it). | ||
| 211 | * (% style="color:#c0392b" %)**DELETE**(%%): to delete items. For example, a user’s permissions. | ||
| 212 | |||
| 213 | == Sending requests{{id name="envoi"/}} == | ||
| 214 | |||
| 215 | (% class="box warningmessage" %) | ||
| 216 | ((( | ||
| 217 | ❗Please note that a check is carried out on the user’s permissions in Digdash (ACLs) in addition to the token’s permissions. | ||
| 218 | ))) | ||
| 219 | |||
| 220 | (% style="line-height:1.7142857142857142; background-color:#ffffff; margin-bottom:15px; padding:3.75pt 0pt 0pt 0pt" %) | ||
| 221 | (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)Once you have been authorised, you can make requests: | ||
| 222 | |||
| 223 | 1. (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)Expand the resource on which you wish to perform an operation. A closed padlock indicates that you are authorised. | ||
| 224 | 1. Before you begin, you can view an example request and, by hovering over the**Schema** tab, see a description of the various elements. | ||
| 225 | 1. (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)In the expanded method window, click **‘Try it out **’. | ||
| 226 | 1. (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)Specify the parameter values if necessary. A description is provided in the table below. | ||
| 227 | 1. (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)Click **‘Execute’.**(%%) | ||
| 228 | ➡(% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)The request is executed and the response is displayed. | ||
| 229 | A bearer authorisation header is automatically used for your requests. | ||
| 230 | |||
| 231 | Swagger also provides curl command-line options when executing requests to help with testing or coding a tool outside the browser (in a script, for example). | ||
| 232 | Please note that, whether using curl or another tool, you must specify the HTTP headers “Accept” (format of the content to be retrieved) and “Content-Type” (format of the content sent) for the requests to work correctly. These two headers can take the values “application/json” for JSON or “application/xml” for XML. | ||
| 233 | [[image:1725441504464-493.png]] | ||
| 234 | |||
| 235 | (% class="wikigeneratedid" id="HParamE8tres" %) | ||
| 236 | **Settings** | ||
| 237 | |||
| 238 | (% style="width:1391px" %) | ||
| 239 | |(% colspan="2" style="background-color:grey; text-align:center; width:1388px" %)(% style="color:#ffffff" %)**User management** | ||
| 240 | |(% style="width:205px" %)includes|(% style="width:1184px" %)You can add roles, authorisations (ACLs) and/or authorisation groups (groupACLs), as well as licence information, to the query result. | ||
| 241 | |(% style="width:205px" %)id (required)|(% style="width:1184px" %)Specify the name of the user, role, etc., depending on the API to be used for the operation. | ||
| 242 | |(% style="width:205px" %)resolveGroupAcls|(% style="width:1184px" %)If set to //true//, the permissions that are part of the profile’s authorisation groups are displayed. | ||
| 243 | |(% style="width:205px" %)resolveProfiles|(% style="width:1184px" %)If set to //true//, and if the user has a profile, the profile information will be displayed. | ||
| 244 | For example, if the user has roles derived from a profile, the roles from the profile will be displayed rather than the user’s own roles. | ||
| 245 | |(% colspan="2" style="background-color:grey; text-align:center; width:1388px" %)(% style="color:#ffffff" %)**Session management** | ||
| 246 | |(% style="width:205px" %)users|(% style="width:1184px" %)You can specify users for the query: click the **‘Add string item’** button and enter a user’s name. Repeat this step as required for other users. | ||
| 247 | |(% style="width:205px" %)id|(% style="width:1184px" %)Specify the session name. | ||
| 248 | |(% colspan="2" style="background-color:grey; text-align:center; width:1388px" %)(% style="color:#ffffff" %)**System** | ||
| 249 | |(% style="width:205px" %)period number|(% style="width:1184px" %)Specify the period for which to retrieve the latest cube and security failures in DDAudit (60 seconds by default). | ||
| 250 | |(% style="width:205px" %)auditService|(% style="width:1184px" %)Specify the audit service of your choice: ChangeAuditor, FlowAuditor, SystemAuditor, CubeAuditor, SecurityAuditor, DashboardAuditor or SessionAuditor. | ||
| 251 | |(% style="width:205px" %)syncher|(% style="width:1184px" %)((( | ||
| 252 | Specify the synchroniser of your choice: PlayTP, SyncTP, CopyTP or ExportTP. | ||
| 253 | ))) | ||
| 254 | |(% colspan="2" style="background-color:grey; text-align:center; width:1388px" %)(% style="color:#ffffff" %)**Connection management** | ||
| 255 | |(% style="width:205px" %)itemRole|(% style="width:1184px" %)You can restrict the query to database connections limited to the roles specified here. | ||
| 256 | |(% style="width:205px" %)nameFilter|(% style="width:1184px" %)You can restrict the query to database connections whose name contains the text string specified here. | ||
| 257 | |(% style="width:205px" %)typeFilter|(% style="width:1184px" %)You can restrict the query to database connections of the type(s) specified here. | ||
| 258 | |(% style="width:205px" %)id (required)|(% style="width:1184px" %)Specify the identifier for the database connection. | ||
| 259 | |(% colspan="2" style="background-color:grey; text-align:center; width:1388px" %)(% style="color:#ffffff" %)**Licence management** | ||
| 260 | |(% style="width:205px" %)pattern|(% style="width:1184px" %)You can specify a regular expression to filter the users to be retrieved. | ||
| 261 | For example, the pattern test.* will retrieve all users whose name begins with test. | ||
| 262 | |||
| 263 | = Authentication expiry = | ||
| 264 | |||
| 265 | (% style="line-height:1.7142857142857142; background-color:#ffffff" %) | ||
| 266 | (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)When the security token (JWT) or API key expires, you will receive a (% style="color:#182027; font-family:~"Roboto Mono~",monospace; font-size:10pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)401(% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)response (% style="color:#182027; font-family:~"Roboto Mono~",monospace; font-size:10pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %):(%%)“Unauthorised”. | ||
| 267 | (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)The Bearer authorisation header is still present in your requests, but the token has expired. When this happens, you must log out of BearerAuth and generate a new access token. | ||
| 268 | |||
| 269 | 1. (% style="color:#182027; font-family:Arial,sans-serif; font-size:10.5pt; font-style:normal; font-variant:normal; font-weight:400; text-decoration:none; white-space:pre-wrap" %)Click the **Authorise** button to open the **Available authorisations** window. | ||
| 270 | 1. Click the **Logout** button below**BearerAuth or ApiKeyAuth**. | ||
| 271 | 1. Click**Close** to **close** the window. | ||
| 272 | 1. Generate a new access token or API key as described in the section [[Authenticating>>doc:||anchor="Auth"]]. | ||
| 273 | |||
| 274 | = Revoke a JWT token or API key = | ||
| 275 | |||
| 276 | == Revoking a JWT token == | ||
| 277 | |||
| 278 | For a JWT token, revocation is carried out globally only by changing the private key used for signing and the associated public key used to validate signatures. | ||
| 279 | |||
| 280 | == Revoking an API key == | ||
| 281 | |||
| 282 | For an API key, revocation can be carried out on an individual or global basis. | ||
| 283 | |||
| 284 | To revoke one or more keys: | ||
| 285 | |||
| 286 | (% start="1" %) | ||
| 287 | 1. You can first retrieve the list of API keys and their identifiers by using**GET /api/v1/auth/apikeys**. You will receive the list in the following format: | ||
| 288 | [[image:1745932166616-318.png||alt="Liste clés API"]]\\ | ||
| 289 | 1. Send a list of identifiers (in JSON or XML depending on the Content-Type, as explained in the section [[Sending Requests>>doc:||anchor="envoi"]]) to "POST /api/v1/auth/apikeys/delete" to revoke one or more keys | ||
| 290 | |||
| 291 | To revoke all API keys, either delete all keys as described above or delete the csv file //`apikeys.csv` containing //the keys whilst the server is switched off. |