Guides
API Reference

Getting an Access Token

This page will help you get started with pbx. You'll be up and running in a jiffy!

API Overview

Before a 3rd Party Application can access the NetSapiens API, it must obtain an access token via the OAuth2 standard.

Access Token Privileges

The username and password used to access the api can be any valid Subscriber username and password that can log into the Manager portals (https://pbx.skyswitch.com). The scope of the Subscriber will determine what access your token will be granted.

ScopeAccess Level
Basic UserRead and Modify any data related to the Subscriber
Office ManagerRead and Modify any data related to the Subscriber's Domain
ResellerRead and Modify any data related to any domain under the same Reseller

Client ID and Client Secret

A Client ID and Secret along with the username and password of a Subscriber will be required to retrieve an access token. Please request a Client ID and Secret from Support if you currently do not have a Client ID and Secret.

API Base URL

Skyswitch's Manager portal is available at https://pbx.skyswitch.com and Skyswitch's API base URL is https://pbx.skyswitch.com/ns-api/.

As reseller of Skyswitch, you may use the API at the server node dedicated for you. You have two options to access these nodes.

Using your Branded Domain

If your Branded Manager portal is at https://portal.acmecorp.com, your API base URL will be https://portal.acmecorp.com/ns-api/.

Using your Reseller ID

If your Reseller ID is 12345, your API base URL will be https://12345-hpbx.dashmanager.com/ns-api/.

curl https://pbx.skyswitch.com/ns-api/oauth2/token/ \
-dclient_id=your-client-id \
-dclient_secret=your-client-secret \
-dusername=111@abc-company \
-dpassword=1234 \
-dgrant_type=password

{  
  "access_token":"90679e87dc2e6409211e822434122aaf9480",
  "expires_in":3600,
  "scope":"Reseller",
  "token_type":"Bearer",
  "refresh_token":"c7bf58a0247e02efc6ee4340f01ed629",
  "legacy": false,
  "domain": "abc-company.12345.service",
  "apiversion": "Version: 41.1.0"
}

📘

Multi-Factor Authentication

If the Subscriber you in use has Multi-Factor Authentication enabled there is an additional authentication step required when accessing the token. Below is a snippet example of the response and new request when MFA is enabled.

{
  "mfa":"mfa_required",
  "mfa_vendor":"google",
  "mfa_type":"authenticator",
  "access_token":"51fdab21ca330f6b0c88b2a98ex8932s"
  ,"expires_in":3600
  ,"token_type":"Bearer"
  ,"refresh_token":"08da6c024e9b90eafafcfsdf3c5d449"
  ,"client_id":"your-client-id"
}

Use the mfa_vendor, mfa_type, and access_token from the response to send the request again with the Authenticator Password. You do not need to send the username or password again.

curl https://pbx.skyswitch.com/ns-api/oauth2/token/ \
-dclient_id=your-client-id \
-dclient_secret=your-client-secret \
-dns_id_type=subscriber \
-dmfa-type=authenticator \
-dmfa_vendor=google \
-daccess_token=51fdab21ca330f6b0c88b2a98ex8932s \
-dpasscode=246802 \
-dgrant_type=mfa

After the second request, you will then get a response with a new access token.

{  
  "access_token":"90679e87dc2e6409211e822434122aaf9480",
  "expires_in":3600,
  "scope":"Reseller",
  "token_type":"Bearer",
  "refresh_token":"c7bf58a0247e02efc6ee4340f01ed629",
  "legacy": false,
  "domain": "abc-company.12345.service",
  "apiversion": "Version: 41.1.0"
}

Using the Access Token

Once an Access Token is acquired, each additional request needs to contain this token in the Authorization header as follows:

Authorization: Bearer 90679e87dc2e6409211e822434122aaf9480

Refreshing a Token

An expiring token can be refreshed to get a new access token without the need for the username and password to be resubmitted. 

curl --location --request GET 'https://pbx.skyswitch.com/ns-api/oauth2/token/?grant_type=refresh_token&client_id=your-client-id&client_secret=your-client-secret&refresh_token=c7bf58a0247e02efc6ee4340f01ed629'

{
    "access_token": "3b9d3229d70b442e99e0dfa050473d63",
    "expires_in": 3600,
    "scope": "Reseller",
    "token_type": "Bearer",
    "refresh_token": "c7bf58a0247e02efc6ee4340f01ed629",
    "legacy": false,
    "domain": "abc-company.12345.service",
    "apiversion": "Version: 41.1.0"
}

Use the new token in the Authorization header of succeeding requests.

Authorization: Bearer 3b9d3229d70b442e99e0dfa050473d63

Inspecting an Access Token

An access token can be expected to learn more information about the token. It can be used to retrieve the territory (Reseller ID), domain and the expiration among other information.

curl --location --request GET 'https://pbx.skyswitch.com/ns-api/oauth2/read?format=json' \
--header 'Authorization: Bearer 3b9d3229d70b442e99e0dfa050473d63'

{
    "token": "3b9d3229d70b442e99e0dfa050473d63",
    "client_id": "your-client-id",
    "territory": "12345",
    "domain": "abc-company.12345.service",
    "uid": "[email protected]",
    "expires": "2020-06-11 21:04:14",
    "scope": "Reseller",
    "apiversion": "Version: 41.1.0"
}

Masquerading

A higher-scoped user may masquerade as a lower-scoped user. Masquerading entails a higher-scoped user to get a token of a lower-scoped user without the need to use the latter’s password. As a specific example, a Reseller user token may get a token on behalf of a Basic User. The returned Basic User’s access_token can then be used as if it's the Basic User making the API calls.

First, get token of the higher scoped user, say a Reseller.

curl --location --request POST 'https://pbx.skyswitch.com/ns-api/oauth2/token/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=your-client-id' \
--data-urlencode 'client_secret=your-client-secret' \
--data-urlencode '[email protected]' \
--data-urlencode 'password=mypassword'

{
    "username": "reseller@acmercorp",
    "user": "1000",
    "territory": "12345",
    "domain": "acmecorp.12345.service",
    "uid": "[email protected]",
    "scope": "Reseller",
    "user_email": "",
    "displayName": "Reseller ABC",
    "access_token": "1e465ded5f3b4536aa71313b239a8162",
    "expires_in": 3600,
    "token_type": "Bearer",
    "refresh_token": "91ab3f03cfcc3f020fa8c37340b80b9a",
    "client_id": "redacted",
    "apiversion": "Version: 41.1.0"
}

Then use the Reseller's access_token above as the access_token param in next API call.

📘

The mask_uid specifies the lower-scoped user to be masqueraded. It is always in <extension number>@<full domain string> form.

curl --location -g --request POST '<https://pbx.skyswitch.com/oauth2/token/>'  
--header 'Content-Type: application/x-www-form-urlencoded'  
--data-urlencode 'grant_type=masquerade'  
--data-urlencode 'client_id=your-client-id'  
--data-urlencode 'client_secret=your-client-secret'  
--data-urlencode '[email protected]'  
--data-urlencode 'access_token=1e465ded5f3b4536aa71313b239a8162'

{
    "territory": "12345",
    "domain": "acmecorp.12345.service",
    "scope": "Basic User",
    "uid": "[email protected]",
    "access_token": "1357f6c97f418fc0289fc67507205668",
    "expires_in": 3600,
    "token_type": "Bearer",
    "refresh_token": "f9fe0e833c674d023e076d524e714260",
    "client_id": "teams.client",
    "apiversion": "your-client-id"
}

Note above that the result shows a new access_token for a user with userid equivalent to the passed mask_uid and it has a lower scope (Basic User).