Sencha Web Application Manager Public Admin API

Sencha Web Application Manager Public Admin API is a REST based application program interface that provides a developer with programmatic access to administration interface, and could be used to help manage security, mobility, and app deployment in your environment.

Public Admin API: Overview and Technology

Sencha Web Application Manager Public Admin API is a REST based API, using HTTPS POST and a custom keyed-HMAC (Hash Message Authentication Code) for authentication.

Public Admin API is exposed as a list of Web Services, each of them provides a number of methods. These methods are used as a final endpoints.

When accessing Sencha Web Application Manager Public Admin API using REST, submit all your requests to https://api.space.sencha.com/json.rpc using POST operation. Make sure your request has proper ‘Date’ HTTP header in RFC 1123 Time Format. The following items must be provided in JSON format in your request:

• id - Contains a unique ID that you generate that will be returned in responce and can be used for request determination in case of async/bulk querying
• auth - API Key, which could be obtained via administration application
• service - Service to call
• method - Method to call
• params - Method parameters
• signature - Request signature, which is calculated using your secret access key, which could be obtained via administration application

Request example:

{
  id : 1, 
  auth : '7Uh4KVwqVcsXXmyty/KnIc/h8GBw40SdUU1wrH+3Hhw=', 
  service : 'org', 
  method : 'update', 
  params : { name : 'My org' }, 
  signature : 'qnR8UCqJggD55PohusaBNviGoOJ67HC6Btry4qXLVZc='
}

Given the above, HTTPS request will look like:

POST /json.rpc HTTP/1.1
Host: api.space.sencha.com
Cache-Control: max-age=0,
Content-Type: application/json,
Date: Mon, 14 Jul 2014 23:23:57 GMT

{id:1,auth:'7Uh4KVwqVcsXXmyty/KnIc/h8GBw40SdUU1wrH+3Hhw=',service:'org',method:'update',params:{name:'My org'},signature: 'qnR8UCqJggD55PohusaBNviGoOJ67HC6Btry4qXLVZc='}

Bulk requests are also supported, which means that you could send multiple API requests in single HTTPS POST request:

POST /json.rpc HTTP/1.1
Host: api.space.sencha.com
Cache-Control: max-age=0,
Content-Type: application/json,
Date: Mon, 14 Jul 2014 23:23:57 GMT

[{id:1,auth:'7Uh4KVwqVcsXXmyty/KnIc/h8GBw40SdUU1wrH+3Hhw=',service:'org',method:'update',params:{name:'My org'},signature: 'qnR8UCqJggD55PohusaBNviGoOJ67HC6Btry4qXLVZc='},{id:2,auth:'7Uh4KVwqVcsXXmyty/KnIc/h8GBw40SdUU1wrH+3Hhw=',service:'org',method:'get',params:{},signature: 'hMpd0Iko1eq0mQhz4nXEu+jl4UGOTE29hlANLQv8R1A='}]

Authenticating Requests Using the Public Admin API

When accessing Sencha Web Application Manager Public Admin API, you must provide an API Key (auth) and request Signature. In order to calculate Signature, you first concatenate elements of the request to form a string. You then use your secret access key to calculate the HMAC of that string. Finally, you add this signature as a parameter of the request by using the syntax described in previous section.

API Key & API Secret can be obtained via administration application: https://manage.sencha.com/#settings/api

When the system receives an authenticated request, it fetches the secret access key that you claim to have and uses it in the same way to compute a signature for the message it received. It then compares the signature it calculated against the signature presented by the requester. If the two signatures match, the system concludes that the requester must have access to the secret access key and therefore acts with the authority of the principal to whom the key was issued. If the two signatures do not match, the request is dropped and the system responds with an error message.

Following are the general steps for request signing:

• Concatenate specified elements in a strictly specified sequence: ApiKey, serviceName, methodName, minimized string of method params in JSON, value of HTTP date header used in request. Use “|” separator during concatenation.
• Calculate HMAC SHA256 hash of result of concatenation
• Append result hash as ‘signature’ param of request

Request signing example in node.js:

var crypto = require('crypto');

var request = {
  id : 1, 
  auth : '7Uh4KVwqVcsXXmyty/KnIc/h8GBw40SdUU1wrH+3Hhw=', // This is your API Key 
  service : 'org', 
  method : 'update', 
  params : { name : 'My org' }
}
var date = new Date().toUTCString(); // Don't forget to use this date in 'Date' HTTP header during request
var string_to_sign = '7Uh4KVwqVcsXXmyty/KnIc/h8GBw40SdUU1wrH+3Hhw=|org|update|'+ JSON.stringify(request.params)+'|'+date;
request.signature = crypto.createHmac('sha256', API_SECRET_KEY).update(string_to_sign).digest('base64');

Public Admin API Response

Response is a JSON formatted string which contains results of execution of method in certain service which are specified in request. Response consists of:

• id - Contains a unique ID of request
• result - JSON formatted result of execution of request

Response example:

{
  "result": {
    "visits": 0,
    "users": 1,
    "groups": 0,
    "apps": 14,
    "devices": 0
  },
  "id": 42
}

In case of bulk request response is an array:

[{
  "result": [1,0],
  "id": 43
},
{
  "result": [0,0],
  "id": 44
},
{
  "result": {
    "total": 0,
    "items": []
  },
  "id": 45
}]

Public Admin API Error Response

When the Public Admin API returns error messages, it does so in JSON format as well. The following items are provided in error object:

• id - Contains a unique ID of request
• error - JSON formatted error object

Likewise, error object consists of:

• code - Error code
• message - Error message
• param(not mandatory) - Request param which caused error
• error (not mandatory) - Error name

Error response example:

{
  "error": {
    "param": "password",
    "code": -32001,
    "message": "Incorrect email or password, please try again"
  },
  "id": 1
}

In addition to descriptive error text, error messages contain machine-parseable codes. While the text for an error message may change, the codes will stay the same. The following table describes the codes which may appear when working with the API: